[thelist] OT: 27 Trojans in the in-box today

Pat Meeks pmeeks at msn.com
Tue Aug 19 17:18:51 CDT 2003 

Frank:

> Holy Smokes! I received 27 trojans in my in box at an address that I never
> give out, and that never receives spam.  Most had a From: of ferris.edu
> with the title "Thank You" (and variations thereof). Lucky for me, I'm
> security minded with all of my defence settings at "Paranoid".

Here's an email I just received from Central Command.

Regards, Pat

---------------------------------------------------------------

VIRUS WARNING ISSUED BY CENTRALCOMMAND®
on August 19, 2003
for Worm/SoBig.F



VIRUS WARNING The Central Command® Emergency Virus Response TeamT (EVRTT)
has received virus infection reports for the new Internet Worm/SoBig.F
. Due to increased customer inquires and infection reports the EVRT is
issuing a VIRUS WARNING.

You are receiving this news letter because you are a subscriber to the
Central Command Virus News mailing list.

[ EVRTT Virus Warning issued for Worm/SoBig.F ]

Name: Worm/SoBig.F
Alias: W32/Sobig.f at MM; WORM_SOBIG.F; W32.Sobig.F at mm
Type: Internet Worm
Discovered: August 19, 2003
Size: ~ 72 KB
Platform: Microsoft Windows 9x/ME/NT/2000/XP

Worm/Sobig.F is an Internet worm that spreads through e-mail by using
addresses it collects in the files with the following extensions, .dbx,
.eml, .htm, .html, .txt, and .wab.

The worm may arrive in via email in the following format:

Subject: (it will contain one of the following)

case1: Re: That movie
case2: Re: Wicked screensaver
case3: Re: Your application
case4: Re: Approved
case5: Re: Re: My details
case6: Re: Details
case7: Thank you!
case8: Re: Thank you!

Body:
case1: Please see the attached file for details.
case2: See the attached file for details

Attachment: (it will contain one of the following)
case1: movie0045.pif
case2: wicked_scr.scr
case3: application.pif
case4: document_9446.pif
case5: details.pif
case6: your_details.pif
case7: thank_you.pif
case8: document_all.pif
case9: your_document.pif

Strings within the worm suggest outgoing messages are constructed taken from
the cases above.

If executed, the worm copies itself in the \windows\ directory under the
filename "winppr32.exe".

A new file will be created namend %windir%\winstt32.dat. This file does not
contain viral code.

- \Windows\winstt32.dat

So that it gets run each time a user restart their computer the following
registry key gets added:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX"="C:\\WINDOWS\\winppr32.exe /sinc"

- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"TrayX"="C:\\WINDOWS\\winppr32.exe /sinc"


[ Vexira Antivirus Solutions ]

- Vexira Antivirus for Windows workstations/desktops
- Vexira Antivirus for Windows Server
- Vexira Antivirus for Linux Server
- Vexira Antivirus for Linux Workstation
- Vexira Antivirus for FreeBSD
- Vexira Antivirus for OpenBSD
- Vexira Antivirus for Sendmail
- Vexira Antivirus for Sendmail + Milter
- Vexira Antivirus for Qmail
- Vexira Antivirus for Postfix
- Vexira Antivirus for Exim

More information: http://www.centralcommand.com

[ Subscription information ]

Central Command, Inc. respects your online privacy. You at anytime can
easily remove your e-mail address from the Central Command mailing list by
entering in your e-mail address at the following web page:
http://www.centralcommand.com/unsubscribe.html

You will receive a confirmation message about your successful removal from
News

[ Legal Notice and Disclaimer ]

THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

Disclaimer of warranties and limitation of liability

This information is provided by Central Command, Inc. on an "AS IS" and "AS
AVAILABLE" basis. Central Command, Inc. makes no representations or
warranties of any kind, express or implied, as to the information, content,
materials, or products included, or mentioned within this information
bulletin. You expressly agree that your use of this information is at your
sole risk. The user assumes the entire risk as to the accuracy and the use
of this document.

To the full extent permissible by applicable law, Central Command, Inc.
disclaims all warranties, express or implied, including, but not limited to,
implied warranties of merchantability and fitness for a particular purpose
and freedom from infringement. Central Command, Inc. does not warrant that
this information is accurate. Central Command, Inc. will not be liable for
any damages of any kind arising from the use of this information, including,
but not limited to direct, indirect, incidental, punitive, and consequential
damages.

Certain state laws do not allow limitations on implied warranties or the
exclusion or limitation of certain damages. if these laws apply to you, some
or all of the above disclaimers, exclusions, or limitations may not apply to
you, and you might have additional rights.

[ Copyrights and Trademarks ]

Central Command, PerfectSupport, EVRT, Emergency Virus Response Team, Virus
Protection for the Real World, Without us, there's no defense. are
trademarks of Central Command Inc. All other trademarks, trade name and
product names are property of their respective owners. Copyright © 2000,
2001, 2002, 2003  Central Command Inc. All rights reserved.

More information about the thelist mailing list