SoBig.F

TheMSsForum.com: The Microsoft Software Forum

Well this has been a fun day....

Anyone having a problem with the Sobig.F virus? I found
one pc on our network that was infected, I've removed the
virus from the PC and am still getting a ton of the emails
being being sent to my public folders.

My Virus software (NAV Corp) is picking up and deleting
the attachments, but I'm still getting nearly 200 emails
per hour - so it's got to be in my network somewhere.

Any suggestions on clearing all of this up? anyone else
run into this problem lately?

Luckily Blaster was not a problem....


thanks in advance for suggestions.

david
Top

Re: SoBig.F by Les

Les
Thu Aug 21 10:48:48 CDT 2003

Check the email headers to see what the origin is - internal or external.

--
Les Connor
------------------
[SBS MVP]



"David Mathias" <davidm@clip.com> wrote in message
news:0f5201c367fa$7ea62b10$a401280a@phx.gbl...
> John,
>
> Yep, I've run it on all the PC's with the latest virus
> defs.. i even ran symantec's "special" sobig removal tool
> on everyone via a login script this morning.. and it
> hasn't found it anywhere on the clients.
>
> I'm basically just redoing all of my steps...
>
> thanks for the reply.. unfortunately I'm the only one here
> that knows anything about virus removal... so I wanted to
> raise my head of the weeds and talk to someone else
> intelligent <smile>
>
> David
>
>
> >-----Original Message-----
> >Done a scan of all client PCs yet? Thats where I would
> start.
> >
> >"David Mathias" <Davidm@clip.com> wrote in message
> >news:0ec301c367f7$1e61e120$a401280a@phx.gbl...
> >> Well this has been a fun day....
> >>
> >> Anyone having a problem with the Sobig.F virus? I found
> >> one pc on our network that was infected, I've removed
> the
> >> virus from the PC and am still getting a ton of the
> emails
> >> being being sent to my public folders.
> >>
> >> My Virus software (NAV Corp) is picking up and deleting
> >> the attachments, but I'm still getting nearly 200 emails
> >> per hour - so it's got to be in my network somewhere.
> >>
> >> Any suggestions on clearing all of this up? anyone else
> >> run into this problem lately?
> >>
> >> Luckily Blaster was not a problem....
> >>
> >>
> >> thanks in advance for suggestions.
> >>
> >> david
> >
> >
> >.
> >


Top

Re: SoBig.F by David

David
Thu Aug 21 11:01:39 CDT 2003

all of the email addresses are external -

My understanding of the sobig virus though is that the
message header may not mean anything as to the real source.

Thanks for your input - any other ideas?

david
>-----Original Message-----
>Check the email headers to see what the origin is -
internal or external.
>
>--
>Les Connor
>------------------
>[SBS MVP]
>
>
>
>"David Mathias" <davidm@clip.com> wrote in message
>news:0f5201c367fa$7ea62b10$a401280a@phx.gbl...
>> John,
>>
>> Yep, I've run it on all the PC's with the latest virus
>> defs.. i even ran symantec's "special" sobig removal
tool
>> on everyone via a login script this morning.. and it
>> hasn't found it anywhere on the clients.
>>
>> I'm basically just redoing all of my steps...
>>
>> thanks for the reply.. unfortunately I'm the only one
here
>> that knows anything about virus removal... so I wanted
to
>> raise my head of the weeds and talk to someone else
>> intelligent <smile>
>>
>> David
>>
>>
>> >-----Original Message-----
>> >Done a scan of all client PCs yet? Thats where I would
>> start.
>> >
>> >"David Mathias" <Davidm@clip.com> wrote in message
>> >news:0ec301c367f7$1e61e120$a401280a@phx.gbl...
>> >> Well this has been a fun day....
>> >>
>> >> Anyone having a problem with the Sobig.F virus? I
found
>> >> one pc on our network that was infected, I've removed
>> the
>> >> virus from the PC and am still getting a ton of the
>> emails
>> >> being being sent to my public folders.
>> >>
>> >> My Virus software (NAV Corp) is picking up and
deleting
>> >> the attachments, but I'm still getting nearly 200
emails
>> >> per hour - so it's got to be in my network somewhere.
>> >>
>> >> Any suggestions on clearing all of this up? anyone
else
>> >> run into this problem lately?
>> >>
>> >> Luckily Blaster was not a problem....
>> >>
>> >>
>> >> thanks in advance for suggestions.
>> >>
>> >> david
>> >
>> >
>> >.
>> >
>
>
>.
>
Top

Re: SoBig.F by Javier

Javier
Thu Aug 21 11:11:48 CDT 2003

The headers don't lie (generally)... it's the sender's address that's easily
forged (by this and many other viruses).

Cheers,

Javier

"David Mathias" <davidm@clip.com> wrote in message
news:07fa01c367fd$81aa14e0$a001280a@phx.gbl...
> all of the email addresses are external -
>
> My understanding of the sobig virus though is that the
> message header may not mean anything as to the real source.
>
> Thanks for your input - any other ideas?
>
> david
> >-----Original Message-----
> >Check the email headers to see what the origin is -
> internal or external.
> >
> >--
> >Les Connor
> >------------------
> >[SBS MVP]
> >
> >
> >
> >"David Mathias" <davidm@clip.com> wrote in message
> >news:0f5201c367fa$7ea62b10$a401280a@phx.gbl...
> >> John,
> >>
> >> Yep, I've run it on all the PC's with the latest virus
> >> defs.. i even ran symantec's "special" sobig removal
> tool
> >> on everyone via a login script this morning.. and it
> >> hasn't found it anywhere on the clients.
> >>
> >> I'm basically just redoing all of my steps...
> >>
> >> thanks for the reply.. unfortunately I'm the only one
> here
> >> that knows anything about virus removal... so I wanted
> to
> >> raise my head of the weeds and talk to someone else
> >> intelligent <smile>
> >>
> >> David
> >>
> >>
> >> >-----Original Message-----
> >> >Done a scan of all client PCs yet? Thats where I would
> >> start.
> >> >
> >> >"David Mathias" <Davidm@clip.com> wrote in message
> >> >news:0ec301c367f7$1e61e120$a401280a@phx.gbl...
> >> >> Well this has been a fun day....
> >> >>
> >> >> Anyone having a problem with the Sobig.F virus? I
> found
> >> >> one pc on our network that was infected, I've removed
> >> the
> >> >> virus from the PC and am still getting a ton of the
> >> emails
> >> >> being being sent to my public folders.
> >> >>
> >> >> My Virus software (NAV Corp) is picking up and
> deleting
> >> >> the attachments, but I'm still getting nearly 200
> emails
> >> >> per hour - so it's got to be in my network somewhere.
> >> >>
> >> >> Any suggestions on clearing all of this up? anyone
> else
> >> >> run into this problem lately?
> >> >>
> >> >> Luckily Blaster was not a problem....
> >> >>
> >> >>
> >> >> thanks in advance for suggestions.
> >> >>
> >> >> david
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >


Top

Re: SoBig.F by Rick

Rick
Thu Aug 21 11:25:10 CDT 2003

You are probably not infected but an associate who has your email address on
the Internet is infected. The virus finds email addresses in the local
address book and uses that as the sender, then when it gets returned it
comes back to you.
I have a client who was concerned but once I showed them the email address's
it finally made sense. Hope people get cleaned up because it makes others
look like they are infected and they are not.

Rick in the Midwest

"David Mathias" <davidm@clip.com> wrote in message
news:07fa01c367fd$81aa14e0$a001280a@phx.gbl...
> all of the email addresses are external -
>
> My understanding of the sobig virus though is that the
> message header may not mean anything as to the real source.
>
> Thanks for your input - any other ideas?
>
> david
> >-----Original Message-----
> >Check the email headers to see what the origin is -
> internal or external.
> >
> >--
> >Les Connor
> >------------------
> >[SBS MVP]
> >
> >
> >
> >"David Mathias" <davidm@clip.com> wrote in message
> >news:0f5201c367fa$7ea62b10$a401280a@phx.gbl...
> >> John,
> >>
> >> Yep, I've run it on all the PC's with the latest virus
> >> defs.. i even ran symantec's "special" sobig removal
> tool
> >> on everyone via a login script this morning.. and it
> >> hasn't found it anywhere on the clients.
> >>
> >> I'm basically just redoing all of my steps...
> >>
> >> thanks for the reply.. unfortunately I'm the only one
> here
> >> that knows anything about virus removal... so I wanted
> to
> >> raise my head of the weeds and talk to someone else
> >> intelligent <smile>
> >>
> >> David
> >>
> >>
> >> >-----Original Message-----
> >> >Done a scan of all client PCs yet? Thats where I would
> >> start.
> >> >
> >> >"David Mathias" <Davidm@clip.com> wrote in message
> >> >news:0ec301c367f7$1e61e120$a401280a@phx.gbl...
> >> >> Well this has been a fun day....
> >> >>
> >> >> Anyone having a problem with the Sobig.F virus? I
> found
> >> >> one pc on our network that was infected, I've removed
> >> the
> >> >> virus from the PC and am still getting a ton of the
> >> emails
> >> >> being being sent to my public folders.
> >> >>
> >> >> My Virus software (NAV Corp) is picking up and
> deleting
> >> >> the attachments, but I'm still getting nearly 200
> emails
> >> >> per hour - so it's got to be in my network somewhere.
> >> >>
> >> >> Any suggestions on clearing all of this up? anyone
> else
> >> >> run into this problem lately?
> >> >>
> >> >> Luckily Blaster was not a problem....
> >> >>
> >> >>
> >> >> thanks in advance for suggestions.
> >> >>
> >> >> david
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >


Top

Re: SoBig.F by Todd

Todd
Thu Aug 21 11:26:13 CDT 2003

Did you also purchase Symantec Anitvirus/Filtering for Exchange? If so you
can create a filter to remove e-mails with the subject lines this virus
creates.

Todd

"Javier Gomez" <javier_gomez@remove.this.bit.engineer.com> wrote in message
news:#iV1S7$ZDHA.2960@tk2msftngp13.phx.gbl...
> The headers don't lie (generally)... it's the sender's address that's
easily
> forged (by this and many other viruses).
>
> Cheers,
>
> Javier
>
> "David Mathias" <davidm@clip.com> wrote in message
> news:07fa01c367fd$81aa14e0$a001280a@phx.gbl...
> > all of the email addresses are external -
> >
> > My understanding of the sobig virus though is that the
> > message header may not mean anything as to the real source.
> >
> > Thanks for your input - any other ideas?
> >
> > david
> > >-----Original Message-----
> > >Check the email headers to see what the origin is -
> > internal or external.
> > >
> > >--
> > >Les Connor
> > >------------------
> > >[SBS MVP]
> > >
> > >
> > >
> > >"David Mathias" <davidm@clip.com> wrote in message
> > >news:0f5201c367fa$7ea62b10$a401280a@phx.gbl...
> > >> John,
> > >>
> > >> Yep, I've run it on all the PC's with the latest virus
> > >> defs.. i even ran symantec's "special" sobig removal
> > tool
> > >> on everyone via a login script this morning.. and it
> > >> hasn't found it anywhere on the clients.
> > >>
> > >> I'm basically just redoing all of my steps...
> > >>
> > >> thanks for the reply.. unfortunately I'm the only one
> > here
> > >> that knows anything about virus removal... so I wanted
> > to
> > >> raise my head of the weeds and talk to someone else
> > >> intelligent <smile>
> > >>
> > >> David
> > >>
> > >>
> > >> >-----Original Message-----
> > >> >Done a scan of all client PCs yet? Thats where I would
> > >> start.
> > >> >
> > >> >"David Mathias" <Davidm@clip.com> wrote in message
> > >> >news:0ec301c367f7$1e61e120$a401280a@phx.gbl...
> > >> >> Well this has been a fun day....
> > >> >>
> > >> >> Anyone having a problem with the Sobig.F virus? I
> > found
> > >> >> one pc on our network that was infected, I've removed
> > >> the
> > >> >> virus from the PC and am still getting a ton of the
> > >> emails
> > >> >> being being sent to my public folders.
> > >> >>
> > >> >> My Virus software (NAV Corp) is picking up and
> > deleting
> > >> >> the attachments, but I'm still getting nearly 200
> > emails
> > >> >> per hour - so it's got to be in my network somewhere.
> > >> >>
> > >> >> Any suggestions on clearing all of this up? anyone
> > else
> > >> >> run into this problem lately?
> > >> >>
> > >> >> Luckily Blaster was not a problem....
> > >> >>
> > >> >>
> > >> >> thanks in advance for suggestions.
> > >> >>
> > >> >> david
> > >> >
> > >> >
> > >> >.
> > >> >
> > >
> > >
> > >.
> > >
>
>


Top

Re: SoBig.F by david

david
Thu Aug 21 11:43:56 CDT 2003

Yes.. I have done that and am filtering .. but it's taking
a heck of a lot of processor time.. and it seems to not be
catching all of them... I also have GFI mail essentials
and it's filtering too...

it just strange that my NAV is sending back the following
message:

<<Subject: Norton AntiVirus detected a virus in a message
you sent.

The infected attachment was deleted.Recipient of the
infected attachment: CLIP01, First Storage Group\Public
Folder Store (CLIP01), /Sales
Subject of the message: Re: Thank you!
One or more attachments were deleted
Attachment wicked_scr.scr was Deleted for the following
reasons:
Virus W32.Sobig.F@mm was found.>>

The sender is actually my public folder aliases.



David
>-----Original Message-----
>Did you also purchase Symantec Anitvirus/Filtering for
Exchange? If so you
>can create a filter to remove e-mails with the subject
lines this virus
>creates.
>
>Todd
>
>"Javier Gomez"
<javier_gomez@remove.this.bit.engineer.com> wrote in
message
>news:#iV1S7$ZDHA.2960@tk2msftngp13.phx.gbl...
>> The headers don't lie (generally)... it's the sender's
address that's
>easily
>> forged (by this and many other viruses).
>>
>> Cheers,
>>
>> Javier
>>
>> "David Mathias" <davidm@clip.com> wrote in message
>> news:07fa01c367fd$81aa14e0$a001280a@phx.gbl...
>> > all of the email addresses are external -
>> >
>> > My understanding of the sobig virus though is that the
>> > message header may not mean anything as to the real
source.
>> >
>> > Thanks for your input - any other ideas?
>> >
>> > david
>> > >-----Original Message-----
>> > >Check the email headers to see what the origin is -
>> > internal or external.
>> > >
>> > >--
>> > >Les Connor
>> > >------------------
>> > >[SBS MVP]
>> > >
>> > >
>> > >
>> > >"David Mathias" <davidm@clip.com> wrote in message
>> > >news:0f5201c367fa$7ea62b10$a401280a@phx.gbl...
>> > >> John,
>> > >>
>> > >> Yep, I've run it on all the PC's with the latest
virus
>> > >> defs.. i even ran symantec's "special" sobig
removal
>> > tool
>> > >> on everyone via a login script this morning.. and
it
>> > >> hasn't found it anywhere on the clients.
>> > >>
>> > >> I'm basically just redoing all of my steps...
>> > >>
>> > >> thanks for the reply.. unfortunately I'm the only
one
>> > here
>> > >> that knows anything about virus removal... so I
wanted
>> > to
>> > >> raise my head of the weeds and talk to someone else
>> > >> intelligent <smile>
>> > >>
>> > >> David
>> > >>
>> > >>
>> > >> >-----Original Message-----
>> > >> >Done a scan of all client PCs yet? Thats where I
would
>> > >> start.
>> > >> >
>> > >> >"David Mathias" <Davidm@clip.com> wrote in message
>> > >> >news:0ec301c367f7$1e61e120$a401280a@phx.gbl...
>> > >> >> Well this has been a fun day....
>> > >> >>
>> > >> >> Anyone having a problem with the Sobig.F
virus? I
>> > found
>> > >> >> one pc on our network that was infected, I've
removed
>> > >> the
>> > >> >> virus from the PC and am still getting a ton of
the
>> > >> emails
>> > >> >> being being sent to my public folders.
>> > >> >>
>> > >> >> My Virus software (NAV Corp) is picking up and
>> > deleting
>> > >> >> the attachments, but I'm still getting nearly
200
>> > emails
>> > >> >> per hour - so it's got to be in my network
somewhere.
>> > >> >>
>> > >> >> Any suggestions on clearing all of this up?
anyone
>> > else
>> > >> >> run into this problem lately?
>> > >> >>
>> > >> >> Luckily Blaster was not a problem....
>> > >> >>
>> > >> >>
>> > >> >> thanks in advance for suggestions.
>> > >> >>
>> > >> >> david
>> > >> >
>> > >> >
>> > >> >.
>> > >> >
>> > >
>> > >
>> > >.
>> > >
>>
>>
>
>
>.
>
Top

Re: SoBig.F by david

david
Thu Aug 21 11:48:56 CDT 2003

Rick,

Thanks.. i was/am leaning the same way... but it's sure
whacking my processor time on the server --- since 6pm ET
last night it's placed about 5000 emails in the SPAM
folder...

I've changed my filter to delete now instead of placing
the emails in the SPAM folder...

Thanks for the encouragement.

David


>-----Original Message-----
>You are probably not infected but an associate who has
your email address on
>the Internet is infected. The virus finds email addresses
in the local
>address book and uses that as the sender, then when it
gets returned it
>comes back to you.
>I have a client who was concerned but once I showed them
the email address's
>it finally made sense. Hope people get cleaned up because
it makes others
>look like they are infected and they are not.
>
>Rick in the Midwest
>
>"David Mathias" <davidm@clip.com> wrote in message
>news:07fa01c367fd$81aa14e0$a001280a@phx.gbl...
>> all of the email addresses are external -
>>
>> My understanding of the sobig virus though is that the
>> message header may not mean anything as to the real
source.
>>
>> Thanks for your input - any other ideas?
>>
>> david
>> >-----Original Message-----
>> >Check the email headers to see what the origin is -
>> internal or external.
>> >
>> >--
>> >Les Connor
>> >------------------
>> >[SBS MVP]
>> >
>> >
>> >
>> >"David Mathias" <davidm@clip.com> wrote in message
>> >news:0f5201c367fa$7ea62b10$a401280a@phx.gbl...
>> >> John,
>> >>
>> >> Yep, I've run it on all the PC's with the latest
virus
>> >> defs.. i even ran symantec's "special" sobig removal
>> tool
>> >> on everyone via a login script this morning.. and it
>> >> hasn't found it anywhere on the clients.
>> >>
>> >> I'm basically just redoing all of my steps...
>> >>
>> >> thanks for the reply.. unfortunately I'm the only one
>> here
>> >> that knows anything about virus removal... so I
wanted
>> to
>> >> raise my head of the weeds and talk to someone else
>> >> intelligent <smile>
>> >>
>> >> David
>> >>
>> >>
>> >> >-----Original Message-----
>> >> >Done a scan of all client PCs yet? Thats where I
would
>> >> start.
>> >> >
>> >> >"David Mathias" <Davidm@clip.com> wrote in message
>> >> >news:0ec301c367f7$1e61e120$a401280a@phx.gbl...
>> >> >> Well this has been a fun day....
>> >> >>
>> >> >> Anyone having a problem with the Sobig.F virus? I
>> found
>> >> >> one pc on our network that was infected, I've
removed
>> >> the
>> >> >> virus from the PC and am still getting a ton of
the
>> >> emails
>> >> >> being being sent to my public folders.
>> >> >>
>> >> >> My Virus software (NAV Corp) is picking up and
>> deleting
>> >> >> the attachments, but I'm still getting nearly 200
>> emails
>> >> >> per hour - so it's got to be in my network
somewhere.
>> >> >>
>> >> >> Any suggestions on clearing all of this up?
anyone
>> else
>> >> >> run into this problem lately?
>> >> >>
>> >> >> Luckily Blaster was not a problem....
>> >> >>
>> >> >>
>> >> >> thanks in advance for suggestions.
>> >> >>
>> >> >> david
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>
Top

Re: SoBig.F by Les

Les
Thu Aug 21 11:57:42 CDT 2003

MVP's got nailed hundreds or 10's of hundreds of times earlier this week.
Most of the emails were sent from only 2 to 5 ip addresses, but not all
MVP's got nailed by the same ip's. In my case, the mailings stopped in about
20 hours.

Some things that help:

a) see Steve Fosters method of using ISA to block the ip's. (look for thread
earlier this week).
b) if it's only a few ip's, set exchange not to accept mail from those ip's
c) use attachment blocking, there's no reason to allow scr, pif, bat, exe
ttc. attachments. Do this at the A/V or exchange level.

--
Les Connor
------------------
[SBS MVP]



"David Mathias" <davidm@clip.com> wrote in message
news:07fa01c367fd$81aa14e0$a001280a@phx.gbl...
> all of the email addresses are external -
>
> My understanding of the sobig virus though is that the
> message header may not mean anything as to the real source.
>
> Thanks for your input - any other ideas?
>
> david
> >-----Original Message-----
> >Check the email headers to see what the origin is -
> internal or external.
> >
> >--
> >Les Connor
> >------------------
> >[SBS MVP]
> >
> >
> >
> >"David Mathias" <davidm@clip.com> wrote in message
> >news:0f5201c367fa$7ea62b10$a401280a@phx.gbl...
> >> John,
> >>
> >> Yep, I've run it on all the PC's with the latest virus
> >> defs.. i even ran symantec's "special" sobig removal
> tool
> >> on everyone via a login script this morning.. and it
> >> hasn't found it anywhere on the clients.
> >>
> >> I'm basically just redoing all of my steps...
> >>
> >> thanks for the reply.. unfortunately I'm the only one
> here
> >> that knows anything about virus removal... so I wanted
> to
> >> raise my head of the weeds and talk to someone else
> >> intelligent <smile>
> >>
> >> David
> >>
> >>
> >> >-----Original Message-----
> >> >Done a scan of all client PCs yet? Thats where I would
> >> start.
> >> >
> >> >"David Mathias" <Davidm@clip.com> wrote in message
> >> >news:0ec301c367f7$1e61e120$a401280a@phx.gbl...
> >> >> Well this has been a fun day....
> >> >>
> >> >> Anyone having a problem with the Sobig.F virus? I
> found
> >> >> one pc on our network that was infected, I've removed
> >> the
> >> >> virus from the PC and am still getting a ton of the
> >> emails
> >> >> being being sent to my public folders.
> >> >>
> >> >> My Virus software (NAV Corp) is picking up and
> deleting
> >> >> the attachments, but I'm still getting nearly 200
> emails
> >> >> per hour - so it's got to be in my network somewhere.
> >> >>
> >> >> Any suggestions on clearing all of this up? anyone
> else
> >> >> run into this problem lately?
> >> >>
> >> >> Luckily Blaster was not a problem....
> >> >>
> >> >>
> >> >> thanks in advance for suggestions.
> >> >>
> >> >> david
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >


Top

Re: SoBig.F by Filippo

Filippo
Thu Aug 21 12:21:11 CDT 2003

where can we find a detalied description on how to block certain attachments
from exchange?

thanks,
Filippo


"Les Connor [SBS MVP]" <les.connor@cfiveDEL.ca> ha scritto nel messaggio
news:OZzNXVAaDHA.1816@TK2MSFTNGP09.phx.gbl...
> MVP's got nailed hundreds or 10's of hundreds of times earlier this week.
> Most of the emails were sent from only 2 to 5 ip addresses, but not all
> MVP's got nailed by the same ip's. In my case, the mailings stopped in
about
> 20 hours.
>
> Some things that help:
>
> a) see Steve Fosters method of using ISA to block the ip's. (look for
thread
> earlier this week).
> b) if it's only a few ip's, set exchange not to accept mail from those
ip's
> c) use attachment blocking, there's no reason to allow scr, pif, bat, exe
> ttc. attachments. Do this at the A/V or exchange level.
>
> --
> Les Connor
> ------------------
> [SBS MVP]
>
>
>
> "David Mathias" <davidm@clip.com> wrote in message
> news:07fa01c367fd$81aa14e0$a001280a@phx.gbl...
> > all of the email addresses are external -
> >
> > My understanding of the sobig virus though is that the
> > message header may not mean anything as to the real source.
> >
> > Thanks for your input - any other ideas?
> >
> > david
> > >-----Original Message-----
> > >Check the email headers to see what the origin is -
> > internal or external.
> > >
> > >--
> > >Les Connor
> > >------------------
> > >[SBS MVP]
> > >
> > >
> > >
> > >"David Mathias" <davidm@clip.com> wrote in message
> > >news:0f5201c367fa$7ea62b10$a401280a@phx.gbl...
> > >> John,
> > >>
> > >> Yep, I've run it on all the PC's with the latest virus
> > >> defs.. i even ran symantec's "special" sobig removal
> > tool
> > >> on everyone via a login script this morning.. and it
> > >> hasn't found it anywhere on the clients.
> > >>
> > >> I'm basically just redoing all of my steps...
> > >>
> > >> thanks for the reply.. unfortunately I'm the only one
> > here
> > >> that knows anything about virus removal... so I wanted
> > to
> > >> raise my head of the weeds and talk to someone else
> > >> intelligent <smile>
> > >>
> > >> David
> > >>
> > >>
> > >> >-----Original Message-----
> > >> >Done a scan of all client PCs yet? Thats where I would
> > >> start.
> > >> >
> > >> >"David Mathias" <Davidm@clip.com> wrote in message
> > >> >news:0ec301c367f7$1e61e120$a401280a@phx.gbl...
> > >> >> Well this has been a fun day....
> > >> >>
> > >> >> Anyone having a problem with the Sobig.F virus? I
> > found
> > >> >> one pc on our network that was infected, I've removed
> > >> the
> > >> >> virus from the PC and am still getting a ton of the
> > >> emails
> > >> >> being being sent to my public folders.
> > >> >>
> > >> >> My Virus software (NAV Corp) is picking up and
> > deleting
> > >> >> the attachments, but I'm still getting nearly 200
> > emails
> > >> >> per hour - so it's got to be in my network somewhere.
> > >> >>
> > >> >> Any suggestions on clearing all of this up? anyone
> > else
> > >> >> run into this problem lately?
> > >> >>
> > >> >> Luckily Blaster was not a problem....
> > >> >>
> > >> >>
> > >> >> thanks in advance for suggestions.
> > >> >>
> > >> >> david
> > >> >
> > >> >
> > >> >.
> > >> >
> > >
> > >
> > >.
> > >
>
>


Top

Re: SoBig.F by Les

Les
Thu Aug 21 13:21:23 CDT 2003

Let me rephrase that, please.

It's not precisely at the exchange level, rather the SMTP level and it's a
feature of ISA feature pack. Sorry about that.

http://www.microsoft.com/isaserver/featurepack1/email.asp

--
Les Connor
------------------
[SBS MVP]



"Filippo" <inutile@nospam.com> wrote in message
news:#CDnwhAaDHA.2336@TK2MSFTNGP09.phx.gbl...
> where can we find a detalied description on how to block certain
attachments
> from exchange?
>
> thanks,
> Filippo
>
>
> "Les Connor [SBS MVP]" <les.connor@cfiveDEL.ca> ha scritto nel messaggio
> news:OZzNXVAaDHA.1816@TK2MSFTNGP09.phx.gbl...
> > MVP's got nailed hundreds or 10's of hundreds of times earlier this
week.
> > Most of the emails were sent from only 2 to 5 ip addresses, but not all
> > MVP's got nailed by the same ip's. In my case, the mailings stopped in
> about
> > 20 hours.
> >
> > Some things that help:
> >
> > a) see Steve Fosters method of using ISA to block the ip's. (look for
> thread
> > earlier this week).
> > b) if it's only a few ip's, set exchange not to accept mail from those
> ip's
> > c) use attachment blocking, there's no reason to allow scr, pif, bat,
exe
> > ttc. attachments. Do this at the A/V or exchange level.
> >
> > --
> > Les Connor
> > ------------------
> > [SBS MVP]
> >
> >
> >
> > "David Mathias" <davidm@clip.com> wrote in message
> > news:07fa01c367fd$81aa14e0$a001280a@phx.gbl...
> > > all of the email addresses are external -
> > >
> > > My understanding of the sobig virus though is that the
> > > message header may not mean anything as to the real source.
> > >
> > > Thanks for your input - any other ideas?
> > >
> > > david
> > > >-----Original Message-----
> > > >Check the email headers to see what the origin is -
> > > internal or external.
> > > >
> > > >--
> > > >Les Connor
> > > >------------------
> > > >[SBS MVP]
> > > >
> > > >
> > > >
> > > >"David Mathias" <davidm@clip.com> wrote in message
> > > >news:0f5201c367fa$7ea62b10$a401280a@phx.gbl...
> > > >> John,
> > > >>
> > > >> Yep, I've run it on all the PC's with the latest virus
> > > >> defs.. i even ran symantec's "special" sobig removal
> > > tool
> > > >> on everyone via a login script this morning.. and it
> > > >> hasn't found it anywhere on the clients.
> > > >>
> > > >> I'm basically just redoing all of my steps...
> > > >>
> > > >> thanks for the reply.. unfortunately I'm the only one
> > > here
> > > >> that knows anything about virus removal... so I wanted
> > > to
> > > >> raise my head of the weeds and talk to someone else
> > > >> intelligent <smile>
> > > >>
> > > >> David
> > > >>
> > > >>
> > > >> >-----Original Message-----
> > > >> >Done a scan of all client PCs yet? Thats where I would
> > > >> start.
> > > >> >
> > > >> >"David Mathias" <Davidm@clip.com> wrote in message
> > > >> >news:0ec301c367f7$1e61e120$a401280a@phx.gbl...
> > > >> >> Well this has been a fun day....
> > > >> >>
> > > >> >> Anyone having a problem with the Sobig.F virus? I
> > > found
> > > >> >> one pc on our network that was infected, I've removed
> > > >> the
> > > >> >> virus from the PC and am still getting a ton of the
> > > >> emails
> > > >> >> being being sent to my public folders.
> > > >> >>
> > > >> >> My Virus software (NAV Corp) is picking up and
> > > deleting
> > > >> >> the attachments, but I'm still getting nearly 200
> > > emails
> > > >> >> per hour - so it's got to be in my network somewhere.
> > > >> >>
> > > >> >> Any suggestions on clearing all of this up? anyone
> > > else
> > > >> >> run into this problem lately?
> > > >> >>
> > > >> >> Luckily Blaster was not a problem....
> > > >> >>
> > > >> >>
> > > >> >> thanks in advance for suggestions.
> > > >> >>
> > > >> >> david
> > > >> >
> > > >> >
> > > >> >.
> > > >> >
> > > >
> > > >
> > > >.
> > > >
> >
> >
>
>


Top

Re: SoBig.F by JoeM

JoeM
Thu Aug 21 19:51:44 CDT 2003

"David Mathias" <davidm@clip.com> wrote in message
news:07fa01c367fd$81aa14e0$a001280a@phx.gbl...
> all of the email addresses are external -
>
> My understanding of the sobig virus though is that the
> message header may not mean anything as to the real source.
>
> Thanks for your input - any other ideas?
>
> david

Make sure that you are looking at the Internet Header and not just the
"from" email address. The email address is spoofed by Sobig.F and most other
baddies. If you are using Outlook and viewing the email message, you can
find the Internet Header by selecting View -> Options. If there is no
Internet Header, the email originated internally.

The Internet Header will show something like:

Microsoft Mail Internet Headers Version 2.0
Received: from navgwout.symantec.com ([198.6.49.12]) by mail.domain.com with
Microsoft SMTPSVC(5.0.2195.6713);
Thu, 21 Aug 2003 11:10:20 -0700
Received: from navgwout.symantec.com (navgwout [198.6.49.12])
by navgwout.symantec.com (8.11.7+Sun/8.11.7) with SMTP id h7LIAJ824834
for <JoeM@domain.com>; Thu, 21 Aug 2003 11:10:19 -0700 (PDT)
Received: from mailer.symantec.com ([198.6.49.176])
by navgwout.symantec.com (SAVSMTP 3.1.1.32) with SMTP id
M2003082111101927116
for <JoeM@domain.com>; Thu, 21 Aug 2003 11:10:19 -0700
Received: from service.symantec.com (service.symantec.com [198.6.49.100])
by mailer.symantec.com (8.11.6+Sun/8.11.6) with ESMTP id h7LIAIo04478
for <JoeM@domain.com>; Thu, 21 Aug 2003 11:10:18 -0700 (PDT)
Received: (from news@localhost)
by service.symantec.com (8.10.2+Sun/8.10.2) id h7LIAIp12408;
Thu, 21 Aug 2003 11:10:18 -0700 (PDT)
Date: Thu, 21 Aug 2003 11:10:18 -0700 (PDT)
Message-Id: <200308211810.h7LIAIp12408@service.symantec.com>
To: JoeM@domain.com
From: "Symantec Service and Support" <tsnews@symantec.com>
Reply-To: "Symantec Service and Support" <tsnews@symantec.com>
Subject: Re: Update virus definitions more often than daily.
Return-Path: news@service.symantec.com
X-OriginalArrivalTime: 21 Aug 2003 18:10:20.0410 (UTC)
FILETIME=[7B9B9DA0:01C3680F]

Note all lines groups starting with "Received:". From bottom to top they
show the true route of the email (unless spoofed).

Joe M


Top

Re: SoBig.F by Frank

Frank
Fri Aug 22 10:23:57 CDT 2003


Echk.... SoBig.F is looking like it's going to be a nasty one.

One of the interesting things it does is sends all the infected emails
out using a random address selected from the address book. So the
person that is really sending it has no idea he is infected because
someone else looks like they are sending all the messages.

You can look at the ip addy in the SMTP header and see where
it is truly coming from. Sounds like you were in the address books
of many people.

I have also heard - but unverified at this time - that in addition to the
other nasty stuff the virus can do it also phones home your address
book for spammers to use.

Tis the worm and viri season... and experts are predicting that both
poorly written explotes like MS Blaster and those of the calibre of


<pondering to myself if Susan has taken here computers off net yet
because of the clause of having to notify her clients if she gets
infected??>

Frank Clark

On 21-Aug-2003, "David Mathias" <davidm@clip.com>, spat forth
49 lines on "Re: SoBig.F":

> John,
>
> Yep, I've run it on all the PC's with the latest virus
> defs.. i even ran symantec's "special" sobig removal tool
> on everyone via a login script this morning.. and it
> hasn't found it anywhere on the clients.
>
> I'm basically just redoing all of my steps...
>
> thanks for the reply.. unfortunately I'm the only one here
> that knows anything about virus removal... so I wanted to
> raise my head of the weeds and talk to someone else
> intelligent <smile>
>
> David
>
>
> >-----Original Message-----
> >Done a scan of all client PCs yet? That's where I would
> start.
> >
> >"David Mathias" <Davidm@clip.com> wrote in message
> >news:0ec301c367f7$1e61e120$a401280a@phx.gbl...
> >> Well this has been a fun day....
> >>
> >> Anyone having a problem with the Sobig.F virus? I found
> >> one pc on our network that was infected, I've removed
> the
> >> virus from the PC and am still getting a ton of the
> emails
> >> being being sent to my public folders.
> >>
> >> My Virus software (NAV Corp) is picking up and deleting
> >> the attachments, but I'm still getting nearly 200 emails
> >> per hour - so it's got to be in my network somewhere.
> >>
> >> Any suggestions on clearing all of this up? anyone else
> >> run into this problem lately?
> >>
> >> Luckily Blaster was not a problem....
> >>
> >>
> >> thanks in advance for suggestions.
> >>
> >> david
> >
> >
> >.
> >
Top