Virus W32/Sobig-F problems

skysurfer · #1 20-August-2003, 14:52

Today i have received this message from Systems AntiVirus Adminstrator:

Attention: <****@ntlworld.com>.

A Virus was found in an Email message you sent.
This Email scanner intercepted it and stopped the entire message
reaching it's destination.

The Virus was reported to be:

W32/Sobig-F

Please update your virus scanner or contact your I.T support
personnel as soon as possible as you have a virus on your system.

Your message was sent with the following envelope:

MAIL FROM: ****@****.com
RCPT TO: ****@****.net

... and with the following headers:

From: <****@ntlworld.com>
To: <****@****.net>
Subject: Your details
Date: Wed, 20 Aug 2003 13:54:36 +0100

The original message is kept in:

eco74:/var/spool/qmailscan/quarantine

where the System Anti-Virus Administrator can further diagnose it.

The Email scanner reported the following when it scanned that message:

---

---sweep results ---
>>> Virus 'W32/Sobig-F' found in file /var/spool/qmailscan/eco74106138412240814661/thank_you.pif

---

Skysurfer again. I don't recognise the britishlaw address and my system is behaving normally. So I suspected nothing's wrong.
On the web somewhere I found this exchange below which suggests that I'm probably clean
Has anyone any comments about this please.
Here are the letters I found on one group:

From: Richard **** (****@****.net)
Subject: W32.Sobig.F@mm

View this article only
Newsgroups: microsoft.public.security.virus
Date: 2003-08-19 20:24:18 PST

Hi,

Like some others, I have been bombarded with emails today
with attachments infected with W32.Sobig.F@mm. Good info
at:

http://securityresponse.symantec.com...obig.f@mm.html

Only virus signature files dated today recognize the
virus. I'm sure I'm getting so many messages because I
frequent the newsgroups.

However, I am also getting "Mail Delivery Subsystem"
or "Mail Delivery System" messages that seem to be telling
me that a message I sent was blocked because it had the
suspicious attachment. I never opened or clicked any of
the attachments, the files winppr32.exe and winsst32.dat
are not on my machine, and a scan of my machine with
todays signature file shows I'm clean, but these messages
seem to say I'm sending infected messages to strange
addresses I've never seen. Is it possible the virus is
spoofing messages so they appear to be coming from me, and
software at the receiving server blocks it and sends me
the email? Or, am I somehow infected and can't tell? Is
there a way to tell from what machine (or IP address) the
infected message was sent from the "Mail Delivery System"
message?

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.****.net
--

Message 2 in thread
From: Blue (****@hotmail.com)
Subject: Re: W32.Sobig.F@mm

View this article only
Newsgroups: microsoft.public.security.virus
Date: 2003-08-20 03:27:57 PST

Yes, the virus may use one of the email adresses it harvests from the
infected machine and use it in the "From:" field. If the mail is then
blocked by receiving servers, warning messages will be sent to this
address, which may be yours.

This also means that people will think they have been infected from
machines that have never even sent them an email, let alone a virused
one.

>Is it possible the virus is
> spoofing messages so they appear to be coming from me, and
> software at the receiving server blocks it and sends me
> the email? Or, am I somehow infected and can't tell? Is
> there a way to tell from what machine (or IP address) the
> infected message was sent from the "Mail Delivery System"
> message?

edit : removed email addresses and tidied up for ease of reading - Mem

Memfis · #2 20-August-2003, 15:14

Hope you dont mind, but I removed the email addresses (no sense in causing more spam for the poor people) and tidied up so it's easier to read.

You *may* be infected. close as much as possible down then run a full system scan.

The title : Your details
and the facked return address (your email address) are indications of someone out there is infected and it's randomly used your email address as the reply to address.

It also scans that person's hard drive for lists of email addresses so it could be someone you know thats infected.

Memfis · #3 20-August-2003, 15:15

p.s. do you have the full headers for the original mail?

if so, remove IP's and email addresses etc and post here

Scoobs · #4 20-August-2003, 16:18

removal tool in this post

http://www.the-scream.co.uk/forums/t9526.html?

skysurfer · #5 20-August-2003, 16:51

Thanks for tidying Mephis and for the removal link from Sophos Scooby Doo.
I downloaded the clean up tool and then ran it into my system.
Does that mean I'm clean or do I have to do something else.
Sorry to be PC dense.,...

Ian · #6 20-August-2003, 16:59

Got a handful of these bounces at work and 1 here (for the-scream.com address)

These arent an indication that you have the virus, and if you have the virus you wont necessarily see any of these bounce emails. err.

If the clean-up tool says all is ok, then you`re fine

skysurfer · #7 20-August-2003, 17:03

I think I might not have done something properly.
The clean up took didn't say anything - I downloaded it and then clicked on it and pressed OK or whatever and that was it.
No indication to say 'you have a virus' or anything.
Maybe it wasn't a clean up tool but a preventative patch I downloaded.
Oh dear - think I'll just carry on until my PC explodes...
As you say Ian - I'll believe these emails mean nothing until it does!
Thanks for help peeps.

Memfis · #8 20-August-2003, 17:04

to add to Ian's post, I feel that you are clean, just keep any AV up to date and let it sort things out

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode