From: Aron Roberts (aron@socrates.berkeley.edu)
Date: Wed Aug 27 2003 - 10:37:50 PDT
Hi Pete,
In the message "[MAGNet] Macs and sobig.f", dated 2003-08-26, you wrote:
>A couple of users are receiving lots of emails with subjects: RE:
>details, RE: movie thing, etc. One says she's receiving about a
>dozen every five minutes.
>What can be done to stop these?
>These are Macs running 9.2.2
In the message "HELP! Fwd: You sent potentially unsafe content: Re:
Det", dated 2003-08-27, you wrote:
>I've received a few emails similar to the one I've forwarded here.
>Is it possible that someone is using my email account? What should
>I do?
>
>>From: [omitted]
>>Subject: You sent potentially unsafe content: Re: Details
>>To: <peteaslc@uclink.berkeley.edu>
>>
>>You sent a message that contained potentially
>>harmful content.
>>
>>Original message recipient(s):
>>[omitted]
>>
>>Scan report:
> Virus 'Sobig.F@mm' in document_all.pif
Both of these behaviors are triggered by the SoBig.F worm. The
following Symantec article describes in detail what the worm does:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
Not only does the worm generate enormous numbers of e-mail messages
containing infected attachments -- hence the messages with subject
lines such as "Re: details" and "Re: That Movie" that your users are
receiving in droves -- but the worm also forges the "From:" lines in
the outgoing messages it generates by inserting addresses plucked
from the infected user's e-mail addressbook.
As a result, there are probably e-mail messages in transit
containing infected file attachments that appear to be "from"
peteaslc@uclink.berkeley.edu ... and for that matter, similar
messages that appear to be "from" aron@socrates.berkeley.edu (!).
When these messages are scanned by anti-virus or e-mail filtering
software at some sites, that software may send warning messages back
to the (forged) "From:" addresses -- such as your address or my
address -- similar to the response you cited above:
>You sent a message that contained potentially harmful content.
or, in another example:
>Found virus WORM_SOBIG.F in file your_document.pif. The file is deleted.
Pretty nasty worm, eh? Socrates is filtering incoming messages
generated by the worm -- stripping off the infected attachments --
and UCLink is blocking them outright, but this task is putting a
significant load on both systems.
The good news is that the current worm, by design, expires on
September 10th. The bad news is that its author(s) may already be
working on the next generation of the worm ...
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Wed Aug 27 2003 - 12:46:05 PDT