As a followup to Steve's timely post.... One of my customers is a huge multinational company with thousands of workstation worldwide on a VPN protected WAN. Yesterday, while on their VPN with one of my computers I got stung with a number of virii off their network. Luckily I was able to isolate this one computer from the rest of my network :-P
------- Anyway, more info is trickling down only hours ago that the "SoBig.F" virus has a trick up it's sleeve that none of the Security Experts have decoded yet. Apparently From 3pm to 6pm EDT on Fridays and Sundays, SoBig.F on any infected computers will download some secret program from a yet unknown address. It is this new secret program you need to worry about. Nobody knows what it'll do - but you have to fear the worst. Apparently the only protection measure, if you haven't already removed the virus - is to block the following ports. If you have too many workstations to disinfect, block your firewall first. Block "OUTBOUND" port 8998/UDP Block "INBOUND" ports 995 ~ 999/UDP Blocking the "OUTBOUND" port on your firewall will apparently prevent the download of this secret program. http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] I just reset my firewall. Good luck. Cheers..... Scott Cadillac, XML-Extranet - http://xml-extra.net 403-281-6090 - [EMAIL PROTECTED] Well-formed Development -- Extranet solutions using C# .NET, Witango, MSIE and XML > -----Original Message----- > From: Campbell Steve [mailto:[EMAIL PROTECTED] > Sent: Friday, August 22, 2003 1:10 PM > To: [EMAIL PROTECTED] > Subject: Re: Witango-Talk: Sobig worm part 2 > > > I know this is "old hat" to most, but I just found out about it. > > Reposted here: > > > All the infected computers are entering a second phase today, > on Friday the > 22nd of August, 2003. These computers are using atom clocks > to synchronize > the activation to start exactly at the same time around the world: at > 19:00:00 UTC (12:00 in San Francisco, 20:00 in London, 05:00 > on Saturday in > Sydney). > > On this moment, the worm starts to connect to machines found from an > encrypted list hidden in the virus body. The list contains > the address of 20 > computers located in USA, Canada and South Korea. > > �These 20 machines seem to be typical home PCs, connected to > the Internet > with always-on DSL connections�, says Mikko Hypponen, > Director of Anti-Virus > Research at F-Secure. �Most likely the party behind Sobig.F > has broken into > these computers and they are now being misused to be part of > this attack�. > > The worm connects to one of these 20 servers and > authenticates itself with a > secret 8-byte code. The servers respond with a web address. Infected > machines download a program from this address � and run it. > At this moment > it is completely unknown what this mystery program will do. > > > http://www.f-secure.com/news/items/news_2003082200.shtml Steve Forerunners Org ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
