It sounds like the following: On Tue, 19 Aug 2003, Ryan Wheaton wrote:
> I've noticed an unsual high amount of spam coming through as well. Some > with this subject, some with others, but all with a .pif attachment. My > firewall filters out .pif's so i'm not too concerned, but it's driving my > users crazy (sometimes, emails come once a minute or so). Anyone else seen > this or have an explanation?? > New virus alert: W32/Sobig.F-mm Warning: dangerous new variant of "Sobig" family spreading On 18th August 2003, MessageLabs the email security company intercepted several copies of a mass-mailing virus which were identified as W32/Sobig.F-mm. �The initial copies all originated from the United States. � � Name: �W32/Sobig.F-mm � � Number of copies intercepted so far: �1,124 (increasing rapidly) � � Time & Date first Captured: �18 Aug 2003 21:04 GMT � � Origin of first intercepted copy: �United States � � Most active country: �United States (95%), Denmark (3%), Norway (1%) Characteristics Initial analysis would suggest that Sobig.F is a mass-emailing virus that is spreading very vigorously. �Sobig.F appears to be polymorphic in nature and the email from: address is also spoofed and may not indicate the true identity of the sender. �In earlier versions of the Sobig family, the file extension has sometimes been truncated. �MessageLabs have not yet observed this with the Sobig.F strain. The email may also comprise the following characteristics: � � Subject: Re: Details � � Text: � � � � Please see the attached file for details. � � Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, document_9446.pif � In an attempt to bypass local antivirus security, the file size varies on each generation reminiscent of Yaha by appending rubbish to the end of the file, but is on average around 74kb in size. �The initial copies are packed using TELock, but there may be other variants in the wild packed using different packers. Mike Norwood -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
