Re: [Declude.Virus] SoBig.f email coming through
Hello,
It seems I am getting the Sobig email coming throught to my users
but with ot a payload. In other words tey are getting the message
with all chaistics of SoBig.f but no attachment.
Anyone know why this maybe. I can not filter on some of the subject
such as 'd e t a i l s ... or... A p p r o v e d So filtering in
junkmail is out.
I do stripp all attahesments that could care a payload so I am good
there. Users are just worried they are enfected which they should
not since all attachments are stripped. And as far as share on the
LAN I am very carefull with those so but I do have to have open
shaers for the last of our Win95 systems.
I have been slammed with an AS/400 down the last three days so if
this is a dumb question please let it pass till I have more sleep.
--
Best regards,
~Paul~ mailto:[EMAIL PROTECTED]
---
{This E-mail scanned for viruses by Declude Virus/McAfee}
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig.f email coming through
I understand that SoBig comes with a .pif attachment. I have .pif files among my banned extensions but haven't seen a single incident of this virus coming in. It hasn't been caught as a virus or a banned extension. Are we just extremely lucky or should I be worried I'm missing something? No reports from any users that their desktop scanners have detected it yet either. As far as I can tell we're safe here. Rodney Bertsch IS Coordinator Kirk NationaLease Co. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig.f email coming through
While everyone was reporting catching them starting yesterday morning, I did not see the first one until mid afternoon. Go figure. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Rodney Bertsch Sent: Wednesday, August 20, 2003 6:27 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] SoBig.f email coming through I understand that SoBig comes with a .pif attachment. I have .pif files among my banned extensions but haven't seen a single incident of this virus coming in. It hasn't been caught as a virus or a banned extension. Are we just extremely lucky or should I be worried I'm missing something? No reports from any users that their desktop scanners have detected it yet either. As far as I can tell we're safe here. Rodney Bertsch IS Coordinator Kirk NationaLease Co. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig.F
Hi Scott: I used McAfee and it started blocking it since 8:31 EDT (I pull in their daily updates hourly). 08/19/2003 08:31:18 Q1893028b01baf614 Scanner 1: Virus= the W32/[EMAIL PROTECTED] virus !!! Attachment=details.pif [11] I 08/19/2003 08:31:18 Q1893028b01baf614 Found a bogus .pif file 08/19/2003 08:31:18 Q1893028b01baf614 File(s) are INFECTED [ the W32/[EMAIL PROTECTED] virus !!!: 13] 08/19/2003 08:31:18 Q1893028b01baf614 Scanned: CONTAINS A VIRUS [MIME: 4 76174] 08/19/2003 08:31:18 Q1893028b01baf614 From: [Forged] To: [EMAIL PROTECTED] [incoming from x.x.x.x] 08/19/2003 08:31:18 Q1893028b01baf614 Subject: DELIVERY FAILURE: User name ([EMAIL PROTECTED]) not listed in DominoDirectory Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Hahn Sent: Tuesday, August 19, 2003 09:56 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] [OT:] SoBig.E These are flowing in by the hundreds. I have banext turned on but the .eml that goes back to the sender gets held up. 1) Can I block the sending IP if I know it? 2) How can I analyze exactly how many are flowing in? 3) Does anyone else use mcafee? I do not see it updated in their dats? Thanks Scott Hahn - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 9:25 AM Subject: Re: [Declude.Virus] [OT:] SoBig.E Holy cow.. Anyone else notice a MAJOR influx of infected messages with the SoBig.E virus? We just received about 10 messages in a matter of 5 minutes (which is a lot since we average about 3000 messages a day).. It's actually Sobig.F, a new variant that was just released today. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig.F?
Are you seeing this as a pif inside an attached .eml? Although not caught by anything, I had a very strange undeliverable mail message in my box today that fit this criteria. The Sender and rDNS were both blank in the message. Received: from is3.auto-trol.com [143.198.15.20] by staffingtech.com with ESMTP (SMTPD32-7.15) id A35EB800B6; Tue, 19 Aug 2003 09:17:18 -0400 Received: by is3.auto-trol.com with Internet Mail Service (5.5.2653.19) id QZFVHFY3; Tue, 19 Aug 2003 07:17:17 -0600 Message-ID: [EMAIL PROTECTED] From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Undeliverable: Re: That movie Date: Tue, 19 Aug 2003 07:17:16 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: Content-Type: multipart/mixed; boundary=_=_NextPart_000_01C36654.363E1673 X-RBL-Warning: IPNOTINMX: X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 143.198.15.20 with no reverse DNS entry. X-Declude-Sender: [143.198.15.20] X-Declude-Spoolname: D235e00b800b6d9fd.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Declude: Version 1.75i2; D235e00b800b6d9fd.SMD X-Declude: Failed IPNOTINMX, REVDNS [5] X-Note: This E-mail was sent from [No Reverse DNS] ([143.198.15.20]). X-Countries: UNITED STATES-destination Return-Path: X-Note: - Total spam weight of this E-mail is 5. X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 300613514 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Schmidt Sent: Tuesday, August 19, 2003 11:32 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] SoBig.F Hi Scott: I used McAfee and it started blocking it since 8:31 EDT (I pull in their daily updates hourly). 08/19/2003 08:31:18 Q1893028b01baf614 Scanner 1: Virus= the W32/[EMAIL PROTECTED] virus !!! Attachment=details.pif [11] I 08/19/2003 08:31:18 Q1893028b01baf614 Found a bogus .pif file 08/19/2003 08:31:18 Q1893028b01baf614 File(s) are INFECTED [ the W32/[EMAIL PROTECTED] virus !!!: 13] 08/19/2003 08:31:18 Q1893028b01baf614 Scanned: CONTAINS A VIRUS [MIME: 4 76174] 08/19/2003 08:31:18 Q1893028b01baf614 From: [Forged] To: [EMAIL PROTECTED] [incoming from x.x.x.x] 08/19/2003 08:31:18 Q1893028b01baf614 Subject: DELIVERY FAILURE: User name ([EMAIL PROTECTED]) not listed in DominoDirectory Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Hahn Sent: Tuesday, August 19, 2003 09:56 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.Virus] [OT:] SoBig.E These are flowing in by the hundreds. I have banext turned on but the .eml that goes back to the sender gets held up. 1) Can I block the sending IP if I know it? 2) How can I analyze exactly how many are flowing in? 3) Does anyone else use mcafee? I do not see it updated in their dats? Thanks Scott Hahn - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 9:25 AM Subject: Re: [Declude.Virus] [OT:] SoBig.E Holy cow.. Anyone else notice a MAJOR influx of infected messages with the SoBig.E virus? We just received about 10 messages in a matter of 5 minutes (which is a lot since we average about 3000 messages a day).. It's actually Sobig.F, a new variant that was just released today. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] SoBig.F
Hello Andy, I used McAfee and it started blocking it since 8:31 EDT (I pull in their daily updates hourly). How do you pull the updates hourly? I use the Instant Updater but it looks that it does the updates just once per day. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig.F
McAfee is catching it fine here. Make sure your virus definitions are at least at 4.0.4287. Bill - Original Message - From: Bill Newberg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 10:29 AM Subject: [Declude.Virus] Sobig.F F-Prot is catching Sobig.F, but McAfee is still not picking them up. Looks like a reversal of last weeks problem with F-Prot not catching the virus and McAfee catching it. I'm glad I'm running dual scanners. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig.F
Mc Afee was blocking Sobig.f as of 8:31 AM Eastern Time on my server according to my Declude Log files before I read the first reports on this list. Are your virus signatures up to date/hour. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Newberg Sent: Tuesday, August 19, 2003 01:29 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sobig.F F-Prot is catching Sobig.F, but McAfee is still not picking them up. Looks like a reversal of last weeks problem with F-Prot not catching the virus and McAfee catching it. I'm glad I'm running dual scanners. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig.F [OT]
I have to concur on this, we are seeing our traffic levels increased by a factor of 7 due to this virus.. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Tuesday, August 19, 2003 3:25 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sobig.F [OT] By the looks of things, this virus is going to be worse then the Klez. It's amazing the number of e-mail received. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig.F [OT]
And now I've noticed that there are more and more coming from DSL lines and the private sector instead of universities (as a majority of the first infections on my end were coming from).. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock Sent: Tuesday, August 19, 2003 2:32 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Sobig.F [OT] I have to concur on this, we are seeing our traffic levels increased by a factor of 7 due to this virus.. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Tuesday, August 19, 2003 3:25 PM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sobig.F [OT] By the looks of things, this virus is going to be worse then the Klez. It's amazing the number of e-mail received. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig.F
Can anyone share the McAfee definition files for this? Our's is currently at 4286 and I can't get in manually or automatically to download the current definition files. Thanks, Dan - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 1:42 PM Subject: Re: [Declude.Virus] Sobig.F McAfee is catching it fine here. Make sure your virus definitions are at least at 4.0.4287. Bill - Original Message - From: Bill Newberg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 10:29 AM Subject: [Declude.Virus] Sobig.F F-Prot is catching Sobig.F, but McAfee is still not picking them up. Looks like a reversal of last weeks problem with F-Prot not catching the virus and McAfee catching it. I'm glad I'm running dual scanners. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig.F
Go to www.nai.com and select the Downloads link. Grab the latest engine update (SuperDat File (Engine + DAT)) which will upgrade your engine to 4.2.60 and the virus definitions to 4.0.4287. Bill - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 2:12 PM Subject: Re: [Declude.Virus] Sobig.F Can anyone share the McAfee definition files for this? Our's is currently at 4286 and I can't get in manually or automatically to download the current definition files. Thanks, Dan - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 1:42 PM Subject: Re: [Declude.Virus] Sobig.F McAfee is catching it fine here. Make sure your virus definitions are at least at 4.0.4287. Bill - Original Message - From: Bill Newberg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 10:29 AM Subject: [Declude.Virus] Sobig.F F-Prot is catching Sobig.F, but McAfee is still not picking them up. Looks like a reversal of last weeks problem with F-Prot not catching the virus and McAfee catching it. I'm glad I'm running dual scanners. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig.F
Forget it. I finally got through to McAfee's web site. Sorry for bothering y'all!!! - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 5:12 PM Subject: Re: [Declude.Virus] Sobig.F Can anyone share the McAfee definition files for this? Our's is currently at 4286 and I can't get in manually or automatically to download the current definition files. Thanks, Dan - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 1:42 PM Subject: Re: [Declude.Virus] Sobig.F McAfee is catching it fine here. Make sure your virus definitions are at least at 4.0.4287. Bill - Original Message - From: Bill Newberg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 10:29 AM Subject: [Declude.Virus] Sobig.F F-Prot is catching Sobig.F, but McAfee is still not picking them up. Looks like a reversal of last weeks problem with F-Prot not catching the virus and McAfee catching it. I'm glad I'm running dual scanners. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig.f
I just checked - we caught 4,700 occurrences of this virus so far since this morning at 8:31 AM EDT. This is by a huge margin the most aggressive virus that I've ever observed. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
