[Declude.Virus] Sobig- The Morning After
THIS IS AN INCREDIBLE GROUP ! DECLUDE IS AN INCREDIBLE PRODUCT !!! KUDUS to you Scott. Grateful THANKS to all the members who contributed yesterday ! I usually delete about 2500-3000 files from the virus folder every morning. The load in the last 24 hours was a few over 20,000. The banname feature and the badheaders caught about a bunch. The info received from the group allowed us to prepare and to advise our clients for what could have been much worse than it was. Blocking the port kept a PC somewhere in our network from doing any damage. It made over 1200 attempts to contact a server outside our network in the first hour. We will hunt it down and make sure it gets cleaned up. I am honored to be a member of this group. Sincere Thanks, Doug McKee COO South Texas Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- The Morning After
Wow.. That's great.. What port was the machine trying to use? And what IP was the machine trying to contact? Just curious.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug McKee Sent: Saturday, August 23, 2003 10:27 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sobig- The Morning After THIS IS AN INCREDIBLE GROUP ! DECLUDE IS AN INCREDIBLE PRODUCT !!! KUDUS to you Scott. Grateful THANKS to all the members who contributed yesterday ! I usually delete about 2500-3000 files from the virus folder every morning. The load in the last 24 hours was a few over 20,000. The banname feature and the badheaders caught about a bunch. The info received from the group allowed us to prepare and to advise our clients for what could have been much worse than it was. Blocking the port kept a PC somewhere in our network from doing any damage. It made over 1200 attempts to contact a server outside our network in the first hour. We will hunt it down and make sure it gets cleaned up. I am honored to be a member of this group. Sincere Thanks, Doug McKee COO South Texas Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Sobig- The Morning After
here is sobig outbound traffic we stopped at our gateway 80 deny ip any host 67.73.21.6 log (3 matches) 90 deny ip any host 68.38.159.161 log (3 matches) 100 deny ip any host 67.9.241.67 log (3 matches) 110 deny ip any host 66.131.207.81 log (3 matches) 120 deny ip any host 65.177.240.194 log (3 matches) 130 deny ip any host 65.93.81.59 log (3 matches) 140 deny ip any host 65.95.193.138 log (3 matches) 150 deny ip any host 65.92.186.145 log (3 matches) 160 deny ip any host 63.250.82.87 log (3 matches) 170 deny ip any host 65.92.80.218 log (3 matches) 180 deny ip any host 61.38.187.59 log (3 matches) 190 deny ip any host 24.210.182.156 log (3 matches) 200 deny ip any host 24.202.91.43 log (2 matches) 210 deny ip any host 24.206.75.137 log (3 matches) 220 deny ip any host 24.197.143.132 log (3 matches) 230 deny ip any host 12.158.102.205 log (3 matches) 240 deny ip any host 24.33.66.38 log (3 matches) 250 deny ip any host 218.147.164.29 log (3 matches) 260 deny ip any host 12.232.104.221 log (3 matches) 270 deny ip any host 68.50.208.96 log (3 matches) 280 deny udp any any eq 8998 log 290 deny tcp any any eq 8998 log - Original Message - From: Jeff Maze - Hostmaster [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, August 23, 2003 4:01 PM Subject: RE: [Declude.Virus] Sobig- The Morning After Wow.. That's great.. What port was the machine trying to use? And what IP was the machine trying to contact? Just curious.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug McKee Sent: Saturday, August 23, 2003 10:27 AM To: [EMAIL PROTECTED] Subject: [Declude.Virus] Sobig- The Morning After THIS IS AN INCREDIBLE GROUP ! DECLUDE IS AN INCREDIBLE PRODUCT !!! KUDUS to you Scott. Grateful THANKS to all the members who contributed yesterday ! I usually delete about 2500-3000 files from the virus folder every morning. The load in the last 24 hours was a few over 20,000. The banname feature and the badheaders caught about a bunch. The info received from the group allowed us to prepare and to advise our clients for what could have been much worse than it was. Blocking the port kept a PC somewhere in our network from doing any damage. It made over 1200 attempts to contact a server outside our network in the first hour. We will hunt it down and make sure it gets cleaned up. I am honored to be a member of this group. Sincere Thanks, Doug McKee COO South Texas Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- The Morning After
At 11:45 AM 8/23/2003 -0500, you wrote: THIS IS AN INCREDIBLE GROUP ! DECLUDE IS AN INCREDIBLE PRODUCT !!! KUDUS to you Scott. Grateful THANKS to all the members who contributed yesterday ! Agreed! My users were protected even before receiving the updated DAT's due to banning the .pif's. HERE HERE! Thanks in large part to Declude we have had NO incursions of Sobig in the networks we manage! Hats Off! Blocking the port kept a PC somewhere in our network from doing any damage. It made over 1200 attempts to contact a server outside our network in the first hour. We will hunt it down and make sure it gets cleaned up. I've had only one user that attempted to make a request on UDP 8998. They were contacted immediately and taken care of. Interestingly enough, this user utilized the mail services of a different, and obviously unprotected system. But now, one must wonder... what's next? For a long time now we've had a Black First policy on all of our networks, further reinforced yesterday when we temporarily restricted outbound traffic to ONLY port 80 443 for all workstations (no IM, no music, nada - you can imagine the moaning that resulted from that). We've got a lot of fire power invested in detecting and rejecting trouble from the wild wired world... but nobody can completely cure a DoS, or worse - something completely new... Sobig is definitely a scary customer... not as bad as it could be (I dare not speak of the full blown CCA type attacks we've simulated in our RD)... but this one sure has us _AWAKE_ ... _M (CCA = Coordinated Cellular Automata. We develop self-supporting distributed systems so we have to play white-hat/black-hat games to ensure the designs are as secure as we can make them... This issue of Sobig is only a few critical pieces shy of being apocalyptically scary.) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] No wonder viruses spread
Here is a snipet of some on going email I'm having with a LAN administrator at a university hospital. I forwarded a copy of the Declude virus catch, to show them the IP #'s of the machine that sent the Sobig virus. I can't get it through his head that the headers are forged, and irrevelant. My last message to him pleaded to have him establish a telephone dialog with me so I could explain the message to him ... I politely told him if he wants to take the chance that a workstation is infected within their LAN based on the assumption that he might really be wrong, he was welcomed to the havoc it will cause. sigh David Dodell ===Original message text=== David, In looking at the header you sent Marcy, the subject of the message is Undeliverable: Re: Details which means our e-mail system was sending you a message back that it couldn't deliver a message from you. My best guess is that Sobig may be on your pc, and you have a contact somewhere to someone at uch that is no longer here or valid. Not too uncommon for we changed our domain last year. Furthermore, our e-mail system doesn't allow .pif or .scr attachments and will strip them if attempted whether infected or not. We appreciate the heads up, but based upon the header it looks like it was a bounced message from you that was infected and thus the hit by your antivirus. If you have any additional questions, comments, or concerns don't hesitate to let me know. -Original Message- This came from David who said this came from one of our computers. He said he was this stat technology. Marcy -Original Message- From: David Dodell [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 2:22 PM To: left out to protect identity Subject: Fwd: Virus Notification ===Original message text=== Declude Virus v1.75i2 caught the following: Virus Name: W32/[EMAIL PROTECTED] Virus File: movie0045.pif From: [Forged] To : [EMAIL PROTECTED] Date: 08/23/2003 13:06:35 Subject:Undeliverable: Re: Details Spool File: Dc94a00d300be355a.SMD RemoteIP: 168.200.2.37 SenderHost: Unknown Received: from guava.uch.edu [168.200.2.37] by stat.com with ESMTP (SMTPD32-8.02) id A94AD300BE; Sat, 23 Aug 2003 13:06:34 -0700 Received: from mail pickup service by guava.uch.edu with Microsoft SMTPSVC; Sat, 23 Aug 2003 14:06:33 -0600 Received: from uchaex2.uch.ad.pvt ([168.200.32.18]) by guava.uch.edu with Microsoft SMTPSVC(5.0.2195.5329); Sat, 23 Aug 2003 14:06:23 -0600 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Received: by uchaex2.uch.ad.pvt with Internet Mail Service (5.5.2653.19) id RLYYQK7T; Sat, 23 Aug 2003 14:06:23 -0600 Message-ID: [EMAIL PROTECTED] from: System Administrator [EMAIL PROTECTED] to: [EMAIL PROTECTED] [EMAIL PROTECTED] subject: Undeliverable: Re: Details Date: Sat, 23 Aug 2003 14:06:22 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: Content-Type: multipart/mixed; boundary=_=_NextPart_000_01C369B2.066CB0EC Return-Path: X-OriginalArrivalTime: 23 Aug 2003 20:06:23.0921 (UTC) FILETIME=[07029210:01C369B2] End of original message text=== End of original message text=== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.