Re[2]: [Declude.Virus] SoBig more prolific now?
If I where you and the infected machine connected directly to your mailserver I would create a BAN in Imail for this ip to prevent it to even connect and send anything to your server. / Eje Monday, September 8, 2003, 5:28:14 AM, you wrote: JP I have sort of resigned myself to just continue deleting them as they come JP in. JP Hopefully they will actually stop on the 20th. JP jp JP - Original Message - JP From: Hermann Strassner [EMAIL PROTECTED] JP To: [EMAIL PROTECTED] JP Sent: Monday, September 08, 2003 3:59 AM JP Subject: RE: [Declude.Virus] SoBig more prolific now? were sent to a single address on my domain at the rate of about 1 per minute. Does anyone know how fast it sends? Does it have anything to do with the speed of the infected computer? I'm just curious. I think it depends on the speed of the internet connection, and if it is fast enough, from the speed of the PC. Hermann --- [This E-mail was scanned for viruses by Declude Virus JP (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] JP --- JP [This E-mail scanned for viruses by Declude Virus] JP --- JP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] JP --- JP This E-mail came from the Declude.Virus mailing list. To JP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JP type unsubscribe Declude.Virus.The archives can be found JP at http://www.mail-archive.com. Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network eFax : 240-376-7272 Phone : 620-231- Fax : 620-231-4066 Online Store http://www.fament.com/catalog/ - Your Full Time Professionals - -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.Virus] SoBig more prolific now?
I'm tired of doing that - Original Message - From: Eje Gustafsson [EMAIL PROTECTED] To: Jeff Pereira [EMAIL PROTECTED] Sent: Monday, September 08, 2003 10:42 AM Subject: Re[2]: [Declude.Virus] SoBig more prolific now? If I where you and the infected machine connected directly to your mailserver I would create a BAN in Imail for this ip to prevent it to even connect and send anything to your server. / Eje Monday, September 8, 2003, 5:28:14 AM, you wrote: JP I have sort of resigned myself to just continue deleting them as they come JP in. JP Hopefully they will actually stop on the 20th. JP jp JP - Original Message - JP From: Hermann Strassner [EMAIL PROTECTED] JP To: [EMAIL PROTECTED] JP Sent: Monday, September 08, 2003 3:59 AM JP Subject: RE: [Declude.Virus] SoBig more prolific now? were sent to a single address on my domain at the rate of about 1 per minute. Does anyone know how fast it sends? Does it have anything to do with the speed of the infected computer? I'm just curious. I think it depends on the speed of the internet connection, and if it is fast enough, from the speed of the PC. Hermann --- [This E-mail was scanned for viruses by Declude Virus JP (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] JP --- JP [This E-mail scanned for viruses by Declude Virus] JP --- JP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] JP --- JP This E-mail came from the Declude.Virus mailing list. To JP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JP type unsubscribe Declude.Virus.The archives can be found JP at http://www.mail-archive.com. Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network eFax : 240-376-7272 Phone : 620-231- Fax : 620-231-4066 Online Store http://www.fament.com/catalog/ - Your Full Time Professionals - -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.Virus] SoBig more prolific now?
I have been doing that, but I have heard that IMAIL's CAL can only handle 100 IPS and I am running at about 90 now. Most of the offenders are from Optimum online, I could block their whole IP range, but then I think my home Optimum users trying to POP or SMTP (maybe even Webmail)won't be able to connect to my machine. I can use the Declude IP blacklist, but that is not removing the processing time required. When I get hit like I did on Friday, I call and e-mail Optimum, but they really haven't done anything. Usually within 2 or 3 days I get more SOBIGS from the same machine (HIPHOPSOUNDS) name with a slightly different IP. So when the cable modem keeps getting a different IP from cable the machine can then blast me again You would think Optimum would know who has leased an IP and then contact them, just in the interest of protecting their own network. Stupid virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eje Gustafsson Sent: Monday, September 08, 2003 10:43 AM To: Jeff Pereira Subject: Re[2]: [Declude.Virus] SoBig more prolific now? If I where you and the infected machine connected directly to your mailserver I would create a BAN in Imail for this ip to prevent it to even connect and send anything to your server. / Eje Monday, September 8, 2003, 5:28:14 AM, you wrote: JP I have sort of resigned myself to just continue deleting them as they come JP in. JP Hopefully they will actually stop on the 20th. JP jp JP - Original Message - JP From: Hermann Strassner [EMAIL PROTECTED] JP To: [EMAIL PROTECTED] JP Sent: Monday, September 08, 2003 3:59 AM JP Subject: RE: [Declude.Virus] SoBig more prolific now? were sent to a single address on my domain at the rate of about 1 per minute. Does anyone know how fast it sends? Does it have anything to do with the speed of the infected computer? I'm just curious. I think it depends on the speed of the internet connection, and if it is fast enough, from the speed of the PC. Hermann --- [This E-mail was scanned for viruses by Declude Virus JP (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] JP --- JP [This E-mail scanned for viruses by Declude Virus] JP --- JP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] JP --- JP This E-mail came from the Declude.Virus mailing list. To JP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JP type unsubscribe Declude.Virus.The archives can be found JP at http://www.mail-archive.com. Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network eFax : 240-376-7272 Phone : 620-231- Fax : 620-231-4066 Online Store http://www.fament.com/catalog/ - Your Full Time Professionals - -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] SoBig more prolific now?
Last night I got hammered with about 3,000 sobigs in the course of about 2 hours from one infected computer - it seems this particular computer had almost every address from my domain on it. This morning I got about 100 from another computer - the strange thing was that all 100 were sent to a single address on my domain at the rate of about 1 per minute. Does anyone know how fast it sends? Does it have anything to do with the speed of the infected computer? I'm just curious. When will people stop opening this attachment.? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig more prolific now?
There ain't no cure for stupidity. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] SoBig
This is getting rediculous i have more than 36% infected ratio all sobig.f is there anything i can do about that? is there a utility that will go thru the log and count the numbers of viruses per remote (or local) ip adress? so i can block the most guilty adresses on my gateway ? Scan Summary - Total Emails Scanned= 9 802 Total Emails Clean = 6 248 Total Emails Infected = 3 554Inbound=3 535 / Outbound=19 Outlook vulnerabilities = 148 Infected / Scanned = 36,2579 % -- Log File Summary - Log Name Virus Count Total Scanned vir0829.log 3 554 9 802 -- Virus Summary by Count --- Count Inbound/Outbound Name 3 473 3 473 / 0W32/[EMAIL PROTECTED] 33 33 / 0W32/[EMAIL PROTECTED] 25 6 / 19 W32/[EMAIL PROTECTED] 8 8 / 0W32/[EMAIL PROTECTED] 6 6 / 0W32/[EMAIL PROTECTED] (corrupted) 4 4 / 0EICAR_Test_File 2 2 / 0W32/[EMAIL PROTECTED] 2 2 / 0W32/[EMAIL PROTECTED] 1 1 / 0W32/[EMAIL PROTECTED] -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] SoBig
is there a utility that will go thru the log and count the numbers of viruses per remote (or local) ip adress? so i can block the most guilty adresses on my gateway ? You might want to go to the spool directory at a command prompt, and type: find Received: D*.SMD file1.txt sort file1.txt file2.txt Then, you can open file2.txt with Notepad and scroll through it to find the worst offenders. If you have several weeks or more of viruses in there, you may want to clear out the directory and only use new incoming viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig
That would be the spool\virus directory, correct? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, August 29, 2003 5:51 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] SoBig is there a utility that will go thru the log and count the numbers of viruses per remote (or local) ip adress? so i can block the most guilty adresses on my gateway ? You might want to go to the spool directory at a command prompt, and type: find Received: D*.SMD file1.txt sort file1.txt file2.txt Then, you can open file2.txt with Notepad and scroll through it to find the worst offenders. If you have several weeks or more of viruses in there, you may want to clear out the directory and only use new incoming viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] SoBig
thanks scott i was able to select a dozen of adresses and this is making a big difference !SoBig senders deny tcp host 200.93.136.5 any eq smtp deny tcp host 81.192.2.130 any eq smtp deny tcp host 80.11.225.195 any eq smtp deny tcp host 80.11.225.123 any eq smtp deny tcp host 80.14.187.188 any eq smtp deny tcp host 193.253.189.90 any eq smtp deny tcp host 217.128.120.96 any eq smtp deny tcp host 194.167.144.29 any eq smtp deny tcp host 196.1.100.215 any eq smtp deny tcp host 212.62.54.13 any eq smtp deny tcp host 213.154.90.82 any eq smtp deny tcp host 213.154.70.180 any eq smtp deny tcp host 141.155.142.158 any eq smtp deny tcp host 217.136.255.62 any eq smtp deny tcp host 200.93.136.5 any eq smtp deny tcp host 217.136.255.62 any eq smtp deny tcp host 63.126.131.20 any eq smtp - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, August 30, 2003 1:51 AM Subject: Re: [Declude.Virus] SoBig is there a utility that will go thru the log and count the numbers of viruses per remote (or local) ip adress? so i can block the most guilty adresses on my gateway ? You might want to go to the spool directory at a command prompt, and type: find Received: D*.SMD file1.txt sort file1.txt file2.txt Then, you can open file2.txt with Notepad and scroll through it to find the worst offenders. If you have several weeks or more of viruses in there, you may want to clear out the directory and only use new incoming viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig
Where are you denying those IP addressesat your router I assume? I don't have control over that...is ther anyplace else to enter an IP address to be denied? Imail? Delcude? Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of serge Sent: Friday, August 29, 2003 8:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] SoBig thanks scott i was able to select a dozen of adresses and this is making a big difference !SoBig senders deny tcp host 200.93.136.5 any eq smtp deny tcp host 81.192.2.130 any eq smtp deny tcp host 80.11.225.195 any eq smtp deny tcp host 80.11.225.123 any eq smtp deny tcp host 80.14.187.188 any eq smtp deny tcp host 193.253.189.90 any eq smtp deny tcp host 217.128.120.96 any eq smtp deny tcp host 194.167.144.29 any eq smtp deny tcp host 196.1.100.215 any eq smtp deny tcp host 212.62.54.13 any eq smtp deny tcp host 213.154.90.82 any eq smtp deny tcp host 213.154.70.180 any eq smtp deny tcp host 141.155.142.158 any eq smtp deny tcp host 217.136.255.62 any eq smtp deny tcp host 200.93.136.5 any eq smtp deny tcp host 217.136.255.62 any eq smtp deny tcp host 63.126.131.20 any eq smtp - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, August 30, 2003 1:51 AM Subject: Re: [Declude.Virus] SoBig is there a utility that will go thru the log and count the numbers of viruses per remote (or local) ip adress? so i can block the most guilty adresses on my gateway ? You might want to go to the spool directory at a command prompt, and type: find Received: D*.SMD file1.txt sort file1.txt file2.txt Then, you can open file2.txt with Notepad and scroll through it to find the worst offenders. If you have several weeks or more of viruses in there, you may want to clear out the directory and only use new incoming viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig
I've been sticking the IPs into IMAIL's control access list as fast as they have been coming in. Declude reports them and I'm popping them in there and I'm not sure I'm ever going to remove them. Under local host SMTP second tab SMTP security Control access button You must stop and restart SMTP for the changes to take effect Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Spangenberg Sent: Saturday, August 30, 2003 1:51 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] SoBig Where are you denying those IP addressesat your router I assume? I don't have control over that...is ther anyplace else to enter an IP address to be denied? Imail? Delcude? Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of serge Sent: Friday, August 29, 2003 8:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] SoBig thanks scott i was able to select a dozen of adresses and this is making a big difference !SoBig senders deny tcp host 200.93.136.5 any eq smtp deny tcp host 81.192.2.130 any eq smtp deny tcp host 80.11.225.195 any eq smtp deny tcp host 80.11.225.123 any eq smtp deny tcp host 80.14.187.188 any eq smtp deny tcp host 193.253.189.90 any eq smtp deny tcp host 217.128.120.96 any eq smtp deny tcp host 194.167.144.29 any eq smtp deny tcp host 196.1.100.215 any eq smtp deny tcp host 212.62.54.13 any eq smtp deny tcp host 213.154.90.82 any eq smtp deny tcp host 213.154.70.180 any eq smtp deny tcp host 141.155.142.158 any eq smtp deny tcp host 217.136.255.62 any eq smtp deny tcp host 200.93.136.5 any eq smtp deny tcp host 217.136.255.62 any eq smtp deny tcp host 63.126.131.20 any eq smtp - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, August 30, 2003 1:51 AM Subject: Re: [Declude.Virus] SoBig is there a utility that will go thru the log and count the numbers of viruses per remote (or local) ip adress? so i can block the most guilty adresses on my gateway ? You might want to go to the spool directory at a command prompt, and type: find Received: D*.SMD file1.txt sort file1.txt file2.txt Then, you can open file2.txt with Notepad and scroll through it to find the worst offenders. If you have several weeks or more of viruses in there, you may want to clear out the directory and only use new incoming viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig
You might want to go to the spool directory at a command prompt, and type: find Received: D*.SMD file1.txt sort file1.txt file2.txt That would be the spool\virus directory, correct? Good catch, you are correct. It should be the spool\virus directory. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
Ok, this calls for a white hat virus creator. A virus that will infect all these unpatched computers, and the only thing it does is create a big bold red popup every 15 minutes that says Patch your computer, you dummy. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, August 26, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? People a typically unaware that their machine is infected - because it continues to function perfectly. That is very true. We infected a computer in our virus lab with Sobig.F, and you couldn't tell anything unusual was happening. The file didn't seem to do anything when it was run (so the recipient probably figures that the attachment didn't get downloaded or something like that, and probably won't even say Yes, I ran the program when asked by an admin), and the only noticeable differences on the system were a couple extra registry entries and system files (files in the \Winnt directory and \Winnt\system32 directory), and a program running in Task Manager (something like winsst32.exe that doesn't look unusual). People who are infected probably would have a somewhat slower Internet connection, but that's probably about all they would notice. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
I'll buy that virus! Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff (Lists) Sent: Tuesday, August 26, 2003 4:57 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? Ok, this calls for a white hat virus creator. A virus that will infect all these unpatched computers, and the only thing it does is create a big bold red popup every 15 minutes that says Patch your computer, you dummy. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, August 26, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? People a typically unaware that their machine is infected - because it continues to function perfectly. That is very true. We infected a computer in our virus lab with Sobig.F, and you couldn't tell anything unusual was happening. The file didn't seem to do anything when it was run (so the recipient probably figures that the attachment didn't get downloaded or something like that, and probably won't even say Yes, I ran the program when asked by an admin), and the only noticeable differences on the system were a couple extra registry entries and system files (files in the \Winnt directory and \Winnt\system32 directory), and a program running in Task Manager (something like winsst32.exe that doesn't look unusual). People who are infected probably would have a somewhat slower Internet connection, but that's probably about all they would notice. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- [This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com] -- [This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
Okay, I'll donate some funds. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, August 26, 2003 04:57 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? Ok, this calls for a white hat virus creator. A virus that will infect all these unpatched computers, and the only thing it does is create a big bold red popup every 15 minutes that says Patch your computer, you dummy. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, August 26, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? People a typically unaware that their machine is infected - because it continues to function perfectly. That is very true. We infected a computer in our virus lab with Sobig.F, and you couldn't tell anything unusual was happening. The file didn't seem to do anything when it was run (so the recipient probably figures that the attachment didn't get downloaded or something like that, and probably won't even say Yes, I ran the program when asked by an admin), and the only noticeable differences on the system were a couple extra registry entries and system files (files in the \Winnt directory and \Winnt\system32 directory), and a program running in Task Manager (something like winsst32.exe that doesn't look unusual). People who are infected probably would have a somewhat slower Internet connection, but that's probably about all they would notice. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig, the next wave?
A virus that will infect all these unpatched computers, and the only thing it does is create a big bold red popup every 15 minutes that says Patch your computer, you dummy. I can hear the tech calls now. I have this big window calling me a dummy. what am I supposed to do? Read.the.message.. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
People a typically unaware that their machine is infected - because it continues to function perfectly. That is very true. We infected a computer in our virus lab with Sobig.F, and you couldn't tell anything unusual was happening. The file didn't seem to do anything when it was run (so the recipient probably figures that the attachment didn't get downloaded or something like that, and probably won't even say Yes, I ran the program when asked by an admin), and the only noticeable differences on the system were a couple extra registry entries and system files (files in the \Winnt directory and \Winnt\system32 directory), and a program running in Task Manager (something like winsst32.exe that doesn't look unusual). People who are infected probably would have a somewhat slower Internet connection, but that's probably about all they would notice. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig, the next wave?
I like that idea very much... - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 1:56 PM Subject: RE: [Declude.Virus] Sobig, the next wave? Ok, this calls for a white hat virus creator. A virus that will infect all these unpatched computers, and the only thing it does is create a big bold red popup every 15 minutes that says Patch your computer, you dummy. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, August 26, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? People a typically unaware that their machine is infected - because it continues to function perfectly. That is very true. We infected a computer in our virus lab with Sobig.F, and you couldn't tell anything unusual was happening. The file didn't seem to do anything when it was run (so the recipient probably figures that the attachment didn't get downloaded or something like that, and probably won't even say Yes, I ran the program when asked by an admin), and the only noticeable differences on the system were a couple extra registry entries and system files (files in the \Winnt directory and \Winnt\system32 directory), and a program running in Task Manager (something like winsst32.exe that doesn't look unusual). People who are infected probably would have a somewhat slower Internet connection, but that's probably about all they would notice. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig, the next wave?
Where do i send my donation to get this going LOL! let's do it. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 3:02 PM Subject: RE: [Declude.Virus] Sobig, the next wave? Okay, I'll donate some funds. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, August 26, 2003 04:57 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? Ok, this calls for a white hat virus creator. A virus that will infect all these unpatched computers, and the only thing it does is create a big bold red popup every 15 minutes that says Patch your computer, you dummy. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, August 26, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? People a typically unaware that their machine is infected - because it continues to function perfectly. That is very true. We infected a computer in our virus lab with Sobig.F, and you couldn't tell anything unusual was happening. The file didn't seem to do anything when it was run (so the recipient probably figures that the attachment didn't get downloaded or something like that, and probably won't even say Yes, I ran the program when asked by an admin), and the only noticeable differences on the system were a couple extra registry entries and system files (files in the \Winnt directory and \Winnt\system32 directory), and a program running in Task Manager (something like winsst32.exe that doesn't look unusual). People who are infected probably would have a somewhat slower Internet connection, but that's probably about all they would notice. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig, the next wave?
Not exactly a new idea ... :) http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.html At 07:54 PM 8/26/2003 -0700, you wrote: I like that idea very much... - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 1:56 PM Subject: RE: [Declude.Virus] Sobig, the next wave? Ok, this calls for a white hat virus creator. A virus that will infect all these unpatched computers, and the only thing it does is create a big bold red popup every 15 minutes that says Patch your computer, you dummy. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, August 26, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? People a typically unaware that their machine is infected - because it continues to function perfectly. That is very true. We infected a computer in our virus lab with Sobig.F, and you couldn't tell anything unusual was happening. The file didn't seem to do anything when it was run (so the recipient probably figures that the attachment didn't get downloaded or something like that, and probably won't even say Yes, I ran the program when asked by an admin), and the only noticeable differences on the system were a couple extra registry entries and system files (files in the \Winnt directory and \Winnt\system32 directory), and a program running in Task Manager (something like winsst32.exe that doesn't look unusual). People who are infected probably would have a somewhat slower Internet connection, but that's probably about all they would notice. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
Hahaha.. I have a list of about 20+ computer IPs that we can start with.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Webmaster Oilfield Directory Sent: Tuesday, August 26, 2003 9:54 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] Sobig, the next wave? I like that idea very much... - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 1:56 PM Subject: RE: [Declude.Virus] Sobig, the next wave? Ok, this calls for a white hat virus creator. A virus that will infect all these unpatched computers, and the only thing it does is create a big bold red popup every 15 minutes that says Patch your computer, you dummy. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, August 26, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? People a typically unaware that their machine is infected - because it continues to function perfectly. That is very true. We infected a computer in our virus lab with Sobig.F, and you couldn't tell anything unusual was happening. The file didn't seem to do anything when it was run (so the recipient probably figures that the attachment didn't get downloaded or something like that, and probably won't even say Yes, I ran the program when asked by an admin), and the only noticeable differences on the system were a couple extra registry entries and system files (files in the \Winnt directory and \Winnt\system32 directory), and a program running in Task Manager (something like winsst32.exe that doesn't look unusual). People who are infected probably would have a somewhat slower Internet connection, but that's probably about all they would notice. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig, the next wave?
That's true, also most people don't know how they have to patch their computer, or even what all this stuff means. They are not stupid, but are unknown. That's where we come in. Advice and help those people is our job. But too much is too much. So what I do is create a message with a removal/fix tool as attachment and ask them too run this thing, explaning in simple terms what is going on an d what they have to do. A lot of work but it works. People a typically unaware that their machine is infected - because it continues to function perfectly. Johan Driesmans ICT Manager Syscom --- [This E-mail is scanned for viruses by Declude Virus, this service is provided to you by Syscom nv (http://www.syscom.be)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
Regards a major increase in Sobig, this is what happened here. John Log File Summary - Log NameVirus Count Total Scanned vir0801.log 2 2 vir0802.log 5 5 vir0803.log 1 1 vir0804.log 5 5 vir0805.log 1 1 vir0806.log 2 2 vir0807.log 1 1 vir0808.log 9 9 vir0809.log 4 4 vir0810.log 2 2 vir0811.log 6 6 vir0812.log 14 14 vir0813.log 3 3 vir0814.log 2 2 vir0815.log 1 1 vir0816.log 5 5 vir0817.log 5 5 vir0818.log 7 7 vir0819.log 437 437 vir0820.log 2,939 2,939 vir0821.log 3,937 3,937 vir0822.log 2,755 2,755 vir0823.log 275 275 vir0824.log 91 91 vir0825.log 8,525 8,525 vir0826.log 17,099 17,099 -- Virus Summary by Count --- Count Inbound/OutboundName 34,338 34,338 / 0 W32/[EMAIL PROTECTED] 1,692 1,692 / 0 W32/Sobig.F 28 28 / 0 W32/[EMAIL PROTECTED] (corrupted) 25 25 / 0 W32/[EMAIL PROTECTED] 20 20 / 0 W32/[EMAIL PROTECTED] 17 17 / 0 W32/[EMAIL PROTECTED] 6 6 / 0 W32/[EMAIL PROTECTED] 3 3 / 0 W32/[EMAIL PROTECTED] 2 2 / 0 W32/[EMAIL PROTECTED] 2 2 / 0 W32/Hybris.worm.B -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, August 26, 2003 2:43 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sobig, the next wave? I have seen a major resurgence in messages caught in the last 24 hours, and have received a notice pointing to this short article: http://www.wininformant.com/articles/index.cfm?articleid=39943 John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
vir0819.log 437 437 vir0820.log 2,939 2,939 vir0821.log 3,937 3,937 vir0822.log 2,755 2,755 vir0823.log 275 275 vir0824.log 91 91 vir0825.log 8,525 8,525 vir0826.log 17,099 17,099 In % nearly the same here. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
vir0819.log 437 437 vir0820.log 2,939 2,939 vir0821.log 3,937 3,937 vir0822.log 2,755 2,755 vir0823.log 275 275 vir0824.log 91 91 vir0825.log 8,525 8,525 vir0826.log 17,099 17,099 Forgive the dumb question, where did you get this cool log counter thing? Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig vs. Imail List Server - Huge Log Files
I had a much more drastic increase since Saturday - but it turned out to be a secondary problem where a virus was sent to [EMAIL PROTECTED] - triggering Imail's list server to respond with invalid command - that email was sent to the apparent sender - which unfortunately was some other provider's unattended mailbox - which then responded with thanks - we'll get back to you - which got back to [EMAIL PROTECTED] and we had the two servers play a beautiful game of ping-pong. I had 3 of those occasions so far since Saturday - each day creating HUGE log files! You might want to run the Imail log analyzer to see if certain Ips are suddenly sending thousands of emails per day - and then check the log if it's just an Imail List Server loop. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Wednesday, August 27, 2003 09:21 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? Regards a major increase in Sobig, this is what happened here. John Log File Summary - Log NameVirus Count Total Scanned vir0801.log 2 2 vir0802.log 5 5 vir0803.log 1 1 vir0804.log 5 5 vir0805.log 1 1 vir0806.log 2 2 vir0807.log 1 1 vir0808.log 9 9 vir0809.log 4 4 vir0810.log 2 2 vir0811.log 6 6 vir0812.log 14 14 vir0813.log 3 3 vir0814.log 2 2 vir0815.log 1 1 vir0816.log 5 5 vir0817.log 5 5 vir0818.log 7 7 vir0819.log 437 437 vir0820.log 2,939 2,939 vir0821.log 3,937 3,937 vir0822.log 2,755 2,755 vir0823.log 275 275 vir0824.log 91 91 vir0825.log 8,525 8,525 vir0826.log 17,099 17,099 -- Virus Summary by Count --- Count Inbound/OutboundName 34,338 34,338 / 0 W32/[EMAIL PROTECTED] 1,692 1,692 / 0 W32/Sobig.F 28 28 / 0 W32/[EMAIL PROTECTED] (corrupted) 25 25 / 0 W32/[EMAIL PROTECTED] 20 20 / 0 W32/[EMAIL PROTECTED] 17 17 / 0 W32/[EMAIL PROTECTED] 6 6 / 0 W32/[EMAIL PROTECTED] 3 3 / 0 W32/[EMAIL PROTECTED] 2 2 / 0 W32/[EMAIL PROTECTED] 2 2 / 0 W32/Hybris.worm.B -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, August 26, 2003 2:43 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sobig, the next wave? I have seen a major resurgence in messages caught in the last 24 hours, and have received a notice pointing to this short article: http://www.wininformant.com/articles/index.cfm?articleid=39943 John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
You can download it here http://www.csonline.net/imailstuff/viruslog.htm There is also a batch file that does a similar thing but I can't get it work (see post below). This is one of the tools available in the tools section on declude.com http://www.declude.com/tools/index.html Pat -Original Message- From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED] Sent: 27 August 2003 14:47 To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? I don't think that's a dumb question 'cuz I would like to know that too.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt Sent: Wednesday, August 27, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? vir0819.log 437 437 vir0820.log 2,939 2,939 vir0821.log 3,937 3,937 vir0822.log 2,755 2,755 vir0823.log 275 275 vir0824.log 91 91 vir0825.log 8,525 8,525 vir0826.log 17,099 17,099 Forgive the dumb question, where did you get this cool log counter thing? Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
I don't think that's a dumb question 'cuz I would like to know that too.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt Sent: Wednesday, August 27, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? vir0819.log 437 437 vir0820.log 2,939 2,939 vir0821.log 3,937 3,937 vir0822.log 2,755 2,755 vir0823.log 275 275 vir0824.log 91 91 vir0825.log 8,525 8,525 vir0826.log 17,099 17,099 Forgive the dumb question, where did you get this cool log counter thing? Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
Is there a similar program that reports on SPAM mail (using I-Mail's included SPAM filter, not Junkmail)? I realize this is more of an Ipswitch question but I find there are much more informed folks over here. Thanks, Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pat Hastings Sent: Wednesday, August 27, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? You can download it here http://www.csonline.net/imailstuff/viruslog.htm There is also a batch file that does a similar thing but I can't get it work (see post below). This is one of the tools available in the tools section on declude.com http://www.declude.com/tools/index.html Pat -Original Message- From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED] Sent: 27 August 2003 14:47 To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? I don't think that's a dumb question 'cuz I would like to know that too.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt Sent: Wednesday, August 27, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? vir0819.log 437 437 vir0820.log 2,939 2,939 vir0821.log 3,937 3,937 vir0822.log 2,755 2,755 vir0823.log 275 275 vir0824.log 91 91 vir0825.log 8,525 8,525 vir0826.log 17,099 17,099 Forgive the dumb question, where did you get this cool log counter thing? Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. attachment: winmail.dat
RE: [Declude.Virus] Sobig, the next wave?
You can download it here http://www.csonline.net/imailstuff/viruslog.htm It *is* my day for dumb questions, or perhaps it's a tribute to Declude virus that I haven't had to touch the config file since the day I installed it. After changing the loglevel to MID to use this tool, does anything need to be restarted? Thanks, Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig, the next wave?
What log anylizer gave you these stats? Greg Hedgepath [EMAIL PROTECTED] http://www.CFHosting.net/ ICQ#: 290276 | AIM: colFu Yahoo: cfhosting msn: [EMAIL PROTECTED] - Original Message - From: John Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 9:21 AM Subject: RE: [Declude.Virus] Sobig, the next wave? Regards a major increase in Sobig, this is what happened here. John Log File Summary - Log Name Virus Count Total Scanned vir0801.log 2 2 vir0802.log 5 5 vir0803.log 1 1 vir0804.log 5 5 vir0805.log 1 1 vir0806.log 2 2 vir0807.log 1 1 vir0808.log 9 9 vir0809.log 4 4 vir0810.log 2 2 vir0811.log 6 6 vir0812.log 14 14 vir0813.log 3 3 vir0814.log 2 2 vir0815.log 1 1 vir0816.log 5 5 vir0817.log 5 5 vir0818.log 7 7 vir0819.log 437 437 vir0820.log 2,939 2,939 vir0821.log 3,937 3,937 vir0822.log 2,755 2,755 vir0823.log 275 275 vir0824.log 91 91 vir0825.log 8,525 8,525 vir0826.log 17,099 17,099 -- Virus Summary by Count --- Count Inbound/OutboundName 34,338 34,338 / 0 W32/[EMAIL PROTECTED] 1,692 1,692 / 0 W32/Sobig.F 28 28 / 0 W32/[EMAIL PROTECTED] (corrupted) 25 25 / 0 W32/[EMAIL PROTECTED] 20 20 / 0 W32/[EMAIL PROTECTED] 17 17 / 0 W32/[EMAIL PROTECTED] 6 6 / 0 W32/[EMAIL PROTECTED] 3 3 / 0 W32/[EMAIL PROTECTED] 2 2 / 0 W32/[EMAIL PROTECTED] 2 2 / 0 W32/Hybris.worm.B -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, August 26, 2003 2:43 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sobig, the next wave? I have seen a major resurgence in messages caught in the last 24 hours, and have received a notice pointing to this short article: http://www.wininformant.com/articles/index.cfm?articleid=39943 John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
You need to restart the SMTP server to let the changes take effect -Original Message- From: Sharyn Schmidt [mailto:[EMAIL PROTECTED] Sent: 27 August 2003 15:22 To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? You can download it here http://www.csonline.net/imailstuff/viruslog.htm It *is* my day for dumb questions, or perhaps it's a tribute to Declude virus that I haven't had to touch the config file since the day I installed it. After changing the loglevel to MID to use this tool, does anything need to be restarted? Thanks, Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
I think that is it. Note: I have Log_Ok None in the config. So the total scanned only shows caught emails and total clean is zero. But I prefer the smaller virus log files. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt Sent: Wednesday, August 27, 2003 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? You can download it here http://www.csonline.net/imailstuff/viruslog.htm It *is* my day for dumb questions, or perhaps it's a tribute to Declude virus that I haven't had to touch the config file since the day I installed it. After changing the loglevel to MID to use this tool, does anything need to be restarted? Thanks, Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig, the next wave?
I didn't, just changed the log level from LOW to MID. I just got my first five viruses after changing it and they showed up in the output log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pat Hastings Sent: Wednesday, August 27, 2003 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? You need to restart the SMTP server to let the changes take effect -Original Message- From: Sharyn Schmidt [mailto:[EMAIL PROTECTED] Sent: 27 August 2003 15:22 To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig, the next wave? You can download it here http://www.csonline.net/imailstuff/viruslog.htm It *is* my day for dumb questions, or perhaps it's a tribute to Declude virus that I haven't had to touch the config file since the day I installed it. After changing the loglevel to MID to use this tool, does anything need to be restarted? Thanks, Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Sobig- The Morning After
THIS IS AN INCREDIBLE GROUP ! DECLUDE IS AN INCREDIBLE PRODUCT !!! KUDUS to you Scott. Grateful THANKS to all the members who contributed yesterday ! I usually delete about 2500-3000 files from the virus folder every morning. The load in the last 24 hours was a few over 20,000. The banname feature and the badheaders caught about a bunch. The info received from the group allowed us to prepare and to advise our clients for what could have been much worse than it was. Blocking the port kept a PC somewhere in our network from doing any damage. It made over 1200 attempts to contact a server outside our network in the first hour. We will hunt it down and make sure it gets cleaned up. I am honored to be a member of this group. Sincere Thanks, Doug McKee COO South Texas Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- The Morning After
Wow.. That's great.. What port was the machine trying to use? And what IP was the machine trying to contact? Just curious.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug McKee Sent: Saturday, August 23, 2003 10:27 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sobig- The Morning After THIS IS AN INCREDIBLE GROUP ! DECLUDE IS AN INCREDIBLE PRODUCT !!! KUDUS to you Scott. Grateful THANKS to all the members who contributed yesterday ! I usually delete about 2500-3000 files from the virus folder every morning. The load in the last 24 hours was a few over 20,000. The banname feature and the badheaders caught about a bunch. The info received from the group allowed us to prepare and to advise our clients for what could have been much worse than it was. Blocking the port kept a PC somewhere in our network from doing any damage. It made over 1200 attempts to contact a server outside our network in the first hour. We will hunt it down and make sure it gets cleaned up. I am honored to be a member of this group. Sincere Thanks, Doug McKee COO South Texas Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig- The Morning After
here is sobig outbound traffic we stopped at our gateway 80 deny ip any host 67.73.21.6 log (3 matches) 90 deny ip any host 68.38.159.161 log (3 matches) 100 deny ip any host 67.9.241.67 log (3 matches) 110 deny ip any host 66.131.207.81 log (3 matches) 120 deny ip any host 65.177.240.194 log (3 matches) 130 deny ip any host 65.93.81.59 log (3 matches) 140 deny ip any host 65.95.193.138 log (3 matches) 150 deny ip any host 65.92.186.145 log (3 matches) 160 deny ip any host 63.250.82.87 log (3 matches) 170 deny ip any host 65.92.80.218 log (3 matches) 180 deny ip any host 61.38.187.59 log (3 matches) 190 deny ip any host 24.210.182.156 log (3 matches) 200 deny ip any host 24.202.91.43 log (2 matches) 210 deny ip any host 24.206.75.137 log (3 matches) 220 deny ip any host 24.197.143.132 log (3 matches) 230 deny ip any host 12.158.102.205 log (3 matches) 240 deny ip any host 24.33.66.38 log (3 matches) 250 deny ip any host 218.147.164.29 log (3 matches) 260 deny ip any host 12.232.104.221 log (3 matches) 270 deny ip any host 68.50.208.96 log (3 matches) 280 deny udp any any eq 8998 log 290 deny tcp any any eq 8998 log - Original Message - From: Jeff Maze - Hostmaster [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, August 23, 2003 4:01 PM Subject: RE: [Declude.Virus] Sobig- The Morning After Wow.. That's great.. What port was the machine trying to use? And what IP was the machine trying to contact? Just curious.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug McKee Sent: Saturday, August 23, 2003 10:27 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sobig- The Morning After THIS IS AN INCREDIBLE GROUP ! DECLUDE IS AN INCREDIBLE PRODUCT !!! KUDUS to you Scott. Grateful THANKS to all the members who contributed yesterday ! I usually delete about 2500-3000 files from the virus folder every morning. The load in the last 24 hours was a few over 20,000. The banname feature and the badheaders caught about a bunch. The info received from the group allowed us to prepare and to advise our clients for what could have been much worse than it was. Blocking the port kept a PC somewhere in our network from doing any damage. It made over 1200 attempts to contact a server outside our network in the first hour. We will hunt it down and make sure it gets cleaned up. I am honored to be a member of this group. Sincere Thanks, Doug McKee COO South Texas Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- The Morning After
At 11:45 AM 8/23/2003 -0500, you wrote: THIS IS AN INCREDIBLE GROUP ! DECLUDE IS AN INCREDIBLE PRODUCT !!! KUDUS to you Scott. Grateful THANKS to all the members who contributed yesterday ! Agreed! My users were protected even before receiving the updated DAT's due to banning the .pif's. HERE HERE! Thanks in large part to Declude we have had NO incursions of Sobig in the networks we manage! Hats Off! Blocking the port kept a PC somewhere in our network from doing any damage. It made over 1200 attempts to contact a server outside our network in the first hour. We will hunt it down and make sure it gets cleaned up. I've had only one user that attempted to make a request on UDP 8998. They were contacted immediately and taken care of. Interestingly enough, this user utilized the mail services of a different, and obviously unprotected system. But now, one must wonder... what's next? For a long time now we've had a Black First policy on all of our networks, further reinforced yesterday when we temporarily restricted outbound traffic to ONLY port 80 443 for all workstations (no IM, no music, nada - you can imagine the moaning that resulted from that). We've got a lot of fire power invested in detecting and rejecting trouble from the wild wired world... but nobody can completely cure a DoS, or worse - something completely new... Sobig is definitely a scary customer... not as bad as it could be (I dare not speak of the full blown CCA type attacks we've simulated in our RD)... but this one sure has us _AWAKE_ ... _M (CCA = Coordinated Cellular Automata. We develop self-supporting distributed systems so we have to play white-hat/black-hat games to ensure the designs are as secure as we can make them... This issue of Sobig is only a few critical pieces shy of being apocalyptically scary.) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
No only that - but what's this web address that will be updated. If it's an IP - then it should be easy to contact the upstream provider. If it's a FQDN - then it should be easy for the registrar to lock this particular domain against updates I don't see why this is supposedly so difficult to accomplish? Because it is happening at *exactly* the same time. The timing is based on precise clocks, and even if the web site gets shut down in 1 minute, that's potentially many thousands of computers that may have downloaded the file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
According to this NBC news report, it will occur every Friday and Sunday. http://www.nbc4.tv/technology/2426381/detail.html?treets=latml=la_natlbreak ts=Ttmi=la_natlbreak_15913_01270008222003 John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com
RE: [Declude.Virus] Sobig- Phase II bombardment
See http://isc.sans.org/diary.html?date=2003-08-22 Sobig Update Cycle SoBig-F, the most recent incarnation in the family of Sobig mass mailing viruses, will be entering its update cycle today at 19:00 UTC. Between 19:00 and 22:00 UTC, the virus will attempt to contact a predefined set of hosts to download updates. At this point, it is not know what the update will do. The list of master servers can be updated remotely by using signed UDP packets to port 995-999. Fritz Frederick P. Squib, Jr. Network Operations Citizens Telephone Company of Kecksburg Citizens Internet Services http://www.wpa.net --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
Exactly, if the servers are known, why doesn't the upstream providers be pro-active and block those ip's from being accessed ? -- Original Message -- From: Andy Schmidt [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 22 Aug 2003 14:20:53 -0400 No only that - but what's this web address that will be updated. If it's an IP - then it should be easy to contact the upstream provider. If it's a FQDN - then it should be easy for the registrar to lock this particular domain against updates I don't see why this is supposedly so difficult to accomplish? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Friday, August 22, 2003 01:23 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig- Phase II bombardment The worm connects to one of these 20 servers and authenticates itself with a secret 8-byte code. The servers respond with a web address. Infected machines download a program from this address - and run it. At this moment snipped -- Avolve Support Get High Speed Internet - Go Wireless ! http://www.avolvewireless.net -- --- [This E-mail scanned for viruses by Declude Virus By Avolve.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] SoBig - Narrowing down on source
http://www.washingtonpost.com/wp-dyn/articles/A32161-2003Aug22.html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig- Phase II bombardment
Thanks for the heads-up, Kris. We have applied filter rules to all of our Internet routers to block all outbound IP access to the IP addresses listed below and to block all outbound udp access to port 8998. Bill - Original Message - From: Kris Rickerson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 22, 2003 10:33 AM Subject: RE: [Declude.Virus] Sobig- Phase II bombardment It would seem to me that someone's decoded this encrypted list and if we knew what it was we could setup access lists to block connections to the 20 machines. Ask, and you shall receive. -- Subject: ISS Security Brief: Sobig.F Second Phase Action -BEGIN PGP SIGNED MESSAGE- Computers infected with the Sobig.F worm are programmed to automatically download an executable of unknown function from a hard-coded list of servers at 19:00 UTC (3:00pm EDT) X-Force is recommending wholesale outbound filtering of the following IP addresses: 67.73.21.6 68.38.159.161 67.9.241.67 66.131.207.81 65.177.240.194 65.93.81.59 65.95.193.138 65.92.186.145 63.250.82.87 65.92.80.218 61.38.187.59 24.210.182.156 24.202.91.43 24.206.75.137 24.197.143.132 12.158.102.205 24.33.66.38 218.147.164.29 12.232.104.221 68.50.208.96 The request method uses UDP port 8998. X-Force also recommends that this port be filtered outbound. Kris Rickerson Server Administrator Middle Georgia College - Cochran, GA 31014 [EMAIL PROTECTED] --- This is the material, by the way, that has kept me virtually anonymous in America. Meanwhile, they're draining the Pacific and putting up bench seats for Carrot Top's next Showtime special. Carrot Top -- for people who didn't get Gallagher. Gallagher -- the comedian who made his name by destroying good food with a sledge hammer at the end of his show. Gee, I wonder why we're hated the world over? - Bill Hicks (1961-1994) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig- Phase II bombardment
It make's me really wonder how many stupid people is not able to patch the own system (or at least outlook). Exactly! they can't do more. (except write a worm that install automatically all available patches from MS) What they (M$) really need to do, is make windows update integrated into Windows, the problem is they tell you Stay current with updates in a little box above the taskbar when you install Windows (XP at least), so you can elect to have them downloaded. or you have to download the critical notification tool. Instead, it should already be set to retrieve critical updates, and the notification should be a big window that says YOU HAVE CRITICAL PATCHES FOR YOUR SYSTEM AVAILABLE TO INSTALL! PLEASE CONSULT KB ARTICLE X TO ENSURE VALIDITY AND UPDATE ASAP FAILURE TO UPDATE LEAVES YOUR SYSTEM VULNERABLE TO HACKERS, WORMS, VIRUSES, ETC. To which you click some acknowledge button, but will come back if you don't update. People need to know they need to keep software like this updated. Plus M$ releasing a patch that doesn't cause more problems is nice too. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
What they (M$) really need to do, is make windows update integrated into Windows, the problem is they tell you Stay current with updates in a little box above the taskbar when There are huge debates about this. It's amazing that people are against this. Look at the newsgroups, etc... --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig- Phase II bombardment
If it was easy, and if every computer user was computer literate and responsible, we wouldn't have jobs... Andy - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 22, 2003 3:17 PM Subject: RE: [Declude.Virus] Sobig- Phase II bombardment Sobig.G will have a line X-MailScanner: The Sobig.G virus is in the attachment, you will be infected if you open it... and Sobig.G will spread just as fast as Sobig.F. It make's me really wonder how many stupid people is not able to patch the own system (or at least outlook). I swear I will light 100 candles the day when a new Outlook-vulnerability worm will spread and removes any text, number and picture from any DOC, XLS, and PPT-files he can found. Other 100 candles if the worm places a You're really stupid! Patch your system or turn your computer of - immediatly! in any DOC-file. (Maybe also in other international languages) If the worms continue with the actual destructive functionality, most people will never patch the own system. They will only say: Ouch, how slow is the Internet today! What I will say: Not Sobig.f is frustrating but all this ignorant people that are not able to patch the own system. Culpability of MS? As I know they offer patches for all this vulnerabilities for a long time now. They can't do more. (except write a worm that install automatically all available patches from MS) Maybe the worm I wait for shouldn't delete anything, but change only some numbers in MS-Documents. I think that's enough to cause the attention of the end user - and not make work technicians like us day and night. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
Any one seeing hearing of any happenings on this? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- Phase II bombardment
Any one seeing hearing of any happenings on this? F-Secure has reported that 1 of the 20 servers appears to be up, but it is so overwhelmed that viruses aren't getting anything from it. But that does mean that some could be getting through. All we've seen is what seems to be a precautionary measure from one ISP blocking home users from sending any ICMP or UDP packets, but it appears to just be a precautionary measure. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Sobig F.. mutating..
Title: Message Hi; Interesting... "... Sobig is unusual in that it has the ability to go onto the Internet from its host PC and update itself with new capabilities, Huger said. Those capabilities could include tools for denial-of-service attacks or relaying spam. "It's entirely up to the author (of the virus)," Huger said. "It can download whatever its heart desires." http://www.informationweek.com/story/showArticle.jhtml?articleID=13100787 Regards, Kami
RE: [Declude.Virus] Sobig - Easy to Detect?
I have informed the fine folks at MailScanner of this. For those of you supporting MailScanner on a Linux box, MailScanner has a couple of options in the config file for the headers: Append the new data to the existing header Add a new header Replace the existing header I have set mine to replace the existing headers, this *should* remove any forged X-MailScanner headers Fritz Frederick P. Squib, Jr. Network Operations Citizens Telephone Company of Kecksburg Citizens Internet Services http://www.wpa.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, August 19, 2003 11:11 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sobig - Easy to Detect? Hi, Is it just me, or is Sobig.F always adding the fake header: X-MailScanner: Found to be clean Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] SoBig F
FYI: Mcafee's Extra Dat is not catching all instances of this virus... However, it is still being dropped by the banned pif extension. Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig F
Hm - I've seen a few messages go through that were generated by the virus - but that did NOT include any attachment. They were scanned and cleaned by an outbound virus scanner on the other side. I have yet to actually see any infected virus making it to my inbox - yet I've seen a hundreds being rejected. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock Sent: Tuesday, August 19, 2003 12:23 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] SoBig F FYI: Mcafee's Extra Dat is not catching all instances of this virus... However, it is still being dropped by the banned pif extension. Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] SoBig F
FYI: Mcafee's Extra Dat is not catching all instances of this virus... However, it is still being dropped by the banned pif extension. Wow! I've noted over 200 hits of this virus today so far. sheesh. Paul - Glad I have Fprot checking for updates every 2 hours to be safe. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Sobig - Easy to Detect?
Hi, Is it just me, or is Sobig.F always adding the fake header: X-MailScanner: Found to be clean Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig - Easy to Detect?
As far as I can tell yes. Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 - Your Full Time Professionals - Mikrotik OEM dealer - Online Store http://www.fament.net/ -- AS Hi, AS Is it just me, or is Sobig.F always adding the fake header: AS X-MailScanner: Found to be clean AS Best Regards AS Andy Schmidt AS Phone: +1 201 934-3414 x20 (Business) AS Fax:+1 201 934-9206 AS --- AS [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] AS --- AS This E-mail came from the Declude.Virus mailing list. To AS unsubscribe, just send an E-mail to [EMAIL PROTECTED], and AS type unsubscribe Declude.Virus.The archives can be found AS at http://www.mail-archive.com. -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
