New Variant Of Sobig Virus

Getting a lot of bounces in my email. Seems to be a workstation at Erie Boces 1 that has an infected pc that is very active right now 15 bounces with my email address (must be in the address book of that workstation)

Anyone getting bounces from virus scanners look for this in the headers
Received: from [168.169.29.159]

or this in the headers
Received: from [168.169.29.159] (helo=HS_BERNARD)

if either appears forward to [email]mdziuba@erie1.wnyric.org[/email] which is tech support there

UPDATE YOU ANTIVIRUS!!!

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
W32/Sobig.F-mm
Warning: dangerous new variant of “Sobig” family spreading

On 18th August 2003, MessageLabs the email security company intercepted several copies of a mass-mailing virus which were identified as W32/Sobig.F-mm. The initial copies all originated from the United States.

Name: W32/Sobig.F-mm
Number of copies intercepted so far: 1,124 (increasing rapidly)
Time & Date first Captured: 18 Aug 2003 21:04 GMT
Origin of first intercepted copy: United States
Most active country: United States (95%), Denmark (3%), Norway (1%)

Characteristics
Initial analysis would suggest that Sobig.F is a mass-emailing virus that is spreading very vigorously. Sobig.F appears to be polymorphic in nature and the email from: address is also spoofed and may not indicate the true identity of the sender. In earlier versions of the Sobig family, the file extension has sometimes been truncated. MessageLabs have not yet observed this with the Sobig.F strain.

The email may also comprise the following characteristics:
Subject: Re: Details
Text:
Please see the attached file for details.

Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, document_9446.pif

In an attempt to bypass local antivirus security, the file size varies on each generation reminiscent of Yaha by appending rubbish to the end of the file, but is on average around 74kb in size. The initial copies are packed using TELock, but there may be other variants in the wild packed using different packers.

Now detected by Symantec: ┬╗securityresponse.symantec.com/avcenter..[?]

2 Responses to New Variant Of Sobig Virus