-------Original Message-------
From: FGS-PROJECT-L(a)rootsweb.com
Date: Thursday, August 21, 2003 20:17:02
To: FGS-PROJECT-L(a)rootsweb.com
Subject: [FGS] Fw: WOW #8.32 - Sobig becomes So Big
I'm being bombarded too, and found this information helpful and reassuring.
It was sent to me by one of the computer gurus in our office. Greta, Iowa
etc.
--==>> WOW -- WOODY's OFFICE WATCH <<==--
Microsoft Office advice and news from Woody Leonhard
20 August 2003 Vol 8 No 32
This issue is mostly about the Sobig infestation that many of you will
be dealing with today. Peter and I hope this information helps you. We
also have news of a wonderful new Woody's newsletter starting soon, plus
a correction to our last Office 2003 ezine (sent just a few hours ago).
1. Sobig becomes SO BIG
2. How Sobig works
3. The Infected Email Message
4. Are you infected?
5. Stopping the SoBig Tsunami
6. Side-effects of Sobig
7. Standard Precautions Apply
8. More Details
9. NEW - Woody's Email Essentials
10. Oops - Technology Guarantee Lives!
11. "Windows XP Timesaving Techniques For Dummies"
12. Keep WOW Alive and Free
____________________
1. SOBIG BECOMES SO BIG
Many of you will have woken up this morning to email boxes full of
messages - that's because a variant of the SoBig worm has been unleashed
and is filling up mailboxes all over the world.
In this earlier than usual issue we'll try to cut past the usual
error-prone reports about the worm and give you practical advice on what
to do about this, and any similar, infestations.
Firstly, we'll explain a little about Sobig which will help you
understand what the problem is and who - not - to blame.
____________________
AD DELETED
____________________
2. HOW SOBIG WORKS
SoBig is a program that runs on an infected computer. A computer can be
infected via an email attachment.
Once SoBig is running, it scans your hard drive for email addresses.
This can be anyones email address, not just yours. It doesn't just look
in your address book but also any web pages that are stored on your hard
drive.
A goldmine of addresses is usually gathered from the browsers folder of
recently viewed pages pages - in Internet Explorer that's the Temporary
Internet Files folder/s.
We won't go into the details here .. see below for some links with
plenty of technical info. The important point is that email addresses
are stolen from all sorts of places on a computer.
Once SoBig has those addresses it starts sending out infected email
messages. See 'The Infected Email Message' below for details.
Those infected messages are marked as coming
FROM: one of the stolen email addresses
TO: another of the stolen email addresses
Vital Point: The message will almost invariably NOT really come from
the email address shown.
Don't blame the apparent FROM email address in an infected message - not
only is the person probably not infected, they are totally unaware that
a message has been sent in their name.
There's no practical way to trace the source of the infected messages,
at least not for those of us who don't do anti-virus tracking for a
living. In the current attack the messages may well be coming from
multiple sources.
SoBig uses it's own SMTP server to send out infected messages which
means you don't have to have a email program running and it is harder to
trace the source of infection.
The best thing you can do is delete the infected messages and make sure
you are not infected yourself.
The worm itself isn't new, but this is a new variant on a known baddie.
____________________
AD DELETED
____________________
3. THE INFECTED EMAIL MESSAGE
We've seen a lot of misinformation on this in the last few hours, from
people who should know better, which is the main reason why Woody and
Peter decided to get this issue out quickly.
SoBig infected messages have several characteristics that can help
identify them both manually and by spam filters.
The messages also have one of these subject lines:
> Re: Details
> Re: Approved
> Re: My details
> Re: Thank you!
> Re: That movie
> Re: Wicked screensaver
> Re: Your application
> Thank you!
> Your details
Of course, you could get legitimate emails with these subjects, which is
why they are used.
So we feel that trapping for the infected attachments is a more reliable
method in the long run. Sadly not all mail filters have this feature
(hello Microsoft) even though it is obvious and would be really useful.
The messages all have an attachment with one of these names:
- your_document.pif
- document_all.pif
- thank_you.pif
- your_details.pif
- details.pif
- document_9446.pif
- application.pif
- wicked_scr.scr
- movie0045.pif
If your mail filter can do it, trap for ALL .PIF and .SCR files and
delete the messages. It's unlikely that anyone sensible would be
sending out messages with those attachments - at least not these days.
4. ARE YOU INFECTED?
There's an easy way to tell if you're infected with Sobig.f. Click Start
| Search (or Start | Search | For Files and Folders) and look for a file
called WINPPR32.EXE . If you find that file, you're infected: print the
info at
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100561
, unplug yourself from the Internet, and follow the instructions there
to get Sobig off your machine.
____________________
AD DELETED
____________________
5. STOPPING THE SOBIG TSUNAMI
But you already have a mailbox full and beyond with infected messages -
what do you do.
(Yes, we know this advice will, by its nature, come too late for most
people because this issue will be caught up in the mailbox. Sigh).
The problem is not just the number of message but also their size - even
with a broadband connection it can take a long time to grab all the
messages.
In situations like this it's best to delete the messages directly from
your ISP or company mailbox before you download them to your email client.
There's various ways you can do this, depending on how your email is
setup, who hosts it and what email program you use. So we can only give
general advice not specific info.
Here's some options:
WEB BASED EMAIL
Most email boxes have a web based option for you to access it via any
web browser. Most ISP's have or should have this service. Companies
using Microsoft Exchange Server probably have Outlook Web Access running.
Check your ISP's customer info pages for details. The name of the
service can vary but it's usually called 'Web Mail' 'Mail from the
Web'
or something similar. (usually it's the same login name and password as
your email program uses to grab mail)
Inside a company, check with your IT department - though you'd hope the
IT manager would be stopping infected messages before they hit your Inbox.
Once you've logged into your mail account via the web look through the
Inbox and delete any SoBig messages. They'll be pretty easy to spot
from the Subject lines listed above.
Most webmail systems have check-boxes next to each message, you can
click the box then choose a 'Delete selected messages' option. If
you're mailbox is clogged it may be easier to use a 'Select All' then
DEselect the messages you want to keep.
Once you've done that, you can start your mail program and grab the
remaining, wanted, messages as usual.
WEB2MAIL
If your mail account does NOT have webmail support, you can try
web2mail.com -- this provides webmail support for any POP account. All
you do it give it your email address and password and it will figure out
the rest.
We've had some reports today that
web2mail.com isn't working as well as
it usually does. This could be because their free service is overloaded
or it has trouble accessing mailboxes with so many messages.
REMOTE MAIL
Outlook has a, little used, Remote Mail or Download Headers only
feature. We won't go into detail here, suffice it to say that Remote
Mail grabs only the mail header for each message, and lets you decide
what messages to fully download or delete on the mailbox.
WebMail is easier to use these days, but if that is not available look
for Remote Mail or Headers in the online help.
____________________
AD DELETED
____________________
6. SIDE-EFFECTS OF SOBIG
As well as Sobig infected messages you may be seeing mysterious messages
in your mailbox. These are automated responses to messages that Sobig
has sent, supposedly coming from you.
In other words, on an infected computer, Sobig has found your email
address and is sending out messages your address as the FROM.
As a result you may get automatic responses from systems setup to
respond to the message 'you' sent. Even though it didn't really come
from you, the receiving computer doesn't know that.
While you can trap and delete the infected Sobig messages themselves,
there's no way to reliably identify these side-effect messages expect
look at them yourself.
The infected message may well go to someone you've never heard of,
because it's just another address stolen from the infected computer.
Most common responses you may get are 'Out of Office' or 'Vacation'
replies, also 'Unknown receiver' if the TO address is old, 'Over quota'
or 'Full Mailbox'. Any of the standard, automatic responses could come
to you even though you really didn't send the message in the first place.
The most ironic and galling are the warnings that 'you' sent an infected
email message. Some have polite details, others just talk about
'content violation'.
At Woody's Watch, like all email newsletters, we get especially caught
with this. SoBig grabs email addresses from an infected computer
including any in copies of a newsletter. This can include addresses to
subscribe and unsubscribe. As a result you may get an offer to confirm
or unsubscribe from a newsletter you've never heard of.
At Woody's Watch, we have traps in place to stop this happening, as do
all reputable ezines. We strengthened those traps in the last few hours
in response to the SoBig onslaught.
Some people have written to us in the last few hours, often in less than
polite terms, complaining that we've stolen their email address etc. As
I hope all Woody's Watch readers know, we don't add or delete addresses
without specific requests. We do our best to stop these side-effects of
mass mailings from infected computers and it's certainly NOT a sign that
we've given away your email address.
FULL MAILBOXES
With so many infected messages going around you might find that an email
you send is bounced because the receivers email box is full.
Nothing much you can do except wait and try again later, unless you have
another way to contact that person and warn them.
SLOW MAIL
Some mail systems, especially in companies, have slowed to a crawl
because the mail server is trying to cope with the large volume of mail.
Again, not a lot you can do but wait. If you're sending an urgent
email, you might want to phone the receiver to make sure they got it.
7. STANDARD PRECAUTIONS APPLY
We say it every time, you should have good and up-to-date anti-virus
software.
Any of the major anti-virus packages are OK - Peter has used Norton
Anti-Virus
www.symantec.com for years but other people have other
preferences.
Get anti-virus software, install it, keep it updated and run it regularly.
Up to date is VITAL. There's no point in having anti-virus software
with old virus information. These days 'old' can mean last week.
Grab the latest updates (there may have been one in the last 12 hours
after SoBig went postal). In Norton products the 'LiveUpdate' option
will handle this. Other products have similar options.
After you have the update, scan your entire computer just to make sure
that you are not infected with SoBig yourself.
8. MORE DETAILS
Symantec has their usual comprehensive guide at
plus a link to a removal tool if you're infected.
Nothing from Microsoft - at least not that we can see as we go to press.
Plenty of belated Blaster coverage, to be sure.
---------------------------------------
Checked by MailScan Anti-Virus Software
==== FGS-PROJECT Mailing List ====
Graphics designer: Marsha Bryant <Marsha(a)MaddRiverDesigns.com>