or Connect
TheCatSite.com › Forums › General Forums › The Cat Lounge › Does anyone have an answer to this email virus?
New Posts  All Forums:Forum Nav:

Does anyone have an answer to this email virus?

post #1 of 16
Thread Starter 
I keep getting hit repeatedly with emails that are supposedly infected. Thankfully my program zaps them out of existence, but are there any answers to how to find out if I am actually infected or is this the virus that sends to itself using dummied up addresses? Anyone know?
post #2 of 16
Its the sobig worm right? As long as your virus program catches it and you quarrentine and delete it it will not harm your system.


It's really a worm, not a virus. It's supposed to stop doing this by September 9th. I know its very annoying. I have been getting one or two here and there.. my boss got like 30 of them the other day But as long as your virus program catches it, its not actually in your system. And dont open any attachments..
post #3 of 16
If I answer this can I goto bed please....

There are a stack of them going around at the moment - some are saying things like - personal details, brilliant screensaver etc - whatever you do - dont open them at all. They seem to have come from people who have opened the attatchment without checking first - I have nailed two tonight as I knew what to look for.
Anything with an attatchment I would delete before you open it as once you do - the worm gets into your email list and goes on its travels.
Press DELETE -

post #4 of 16
I heard on the news today that they are expecting the worst is yet to come. They are predicting the biggest day for it will be next Monday, and it will taper off after that.

I also heard that this worm may actually be something written by spammers. Once a computer is infected, it will be used at a later date to send out spam. Or it is a test run for future spam, where it would come from your "friends" so the spam blockers wouldn't catch it. First time there could be a possible real motive (besides mayhem and destruction) behind a worm/virus - the almighty buck.
post #5 of 16
God people have way too much time on their hands
post #6 of 16

This info came from my place of employment. . .

REPORTED 8/19/2003

The details of the SOBIG virus from the Symantec web site are below.

You might get multiple messages from mail looks like it is coming from colleagues. Today's virus definitions (8/19/2003 rev3) that Symantec released about 9:30 this morning will protect computers from infection. If you believe that you opened a message with the following enclosure, please reboot your computer and call your Help Desk.

Never open enclosures with strange extensions.

=========From Symantec:

W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the files with the following extensions:


Email Routine Details
The email message has the following characteristics:

From: admin@internet.com

Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

See the attached file for details
Please see the attached file for details.

application.zip (contains application.pif)
details.zip (contains details.pif)
document_9446.zip (contains document_9446.pif)
document_all.zip (contains document_all.pif)
movie0045.zip (contains movie0045.pif)
thank_you.zip (contains thank_you.pif)
your_details.zip (contains your_details.pif)
your_document.zip (contains your_document.pif)
wicked_scr.zip (contains wicked_scr.scr)
post #7 of 16
Here's more. . . . it's all very deep. We've had several bulletins this week. Thank God for our computer services dept!

A significant number of Windows machines on our campus have been attacked via a critical vulnerability in the Microsoft RPC service. This virus is caught by your Norton or Symantec antivirus software as backdoor.Hale or backdoor.PAdmin virus.

Backdoor.Hale is a package of programs that provide backdoor access to an infected computer. This threat includes a Backdoor Trojan, detected as Backdoor.Padmin; an FTP server; and various system utilities. The existence of a C:\\winnt\\system32\\qossrv folder is an indication of a possible infection (Go to the Tools menu, Folder Options and click on show hidden files in the view tab to look for this folder). This worm is different in the respect that there is nothing the user is doing to trigger the attack. Unlike most viruses, it does not arrive via e-mail messages. It simply sneaks onto computers connected to the Internet that haven't been patched for the Windows flaw.

If you run a Windows 2000 or XP machine, or are responsible for maintaining machines belonging to other people, please download and install the patch from the Wilson file server immediately by going to the Wilson file server and following the path below and choosing your operating system; either Windows 2000 or Windows XP.

\\\\wilson\\Public Files\\Third Party Support\\Microsoft\\Patches\\RPC Hack Fix\\Windows 2000 Professional or Windows XP Professional

Installing the Microsoft patch after an infection does no good; at that point victims have to first remove the virus, then install the patch.


To remove the virus:

Make sure that your virus definitions are updated.

Restart the computer in Safe mode by holding down the F8 key during startup.

Log on as the administrator. (If you do not have rights to do this, please contact your departmental administrator or your computing support office).

(In the third line of the logon box it should say the name of your machine rather than Dartmouth when you sign in as administrator, otherwise it will say it can't log you on).

Open the Norton or Symantec AntiVirus control panel, through the Programs menu. Go to the View menu, to Quarantine. If there is anything in quarantine, delete it by highlighting it, and clicking the red x at the upper right of the box.

Delete the qossrv folder and all of it's contents from C:\\winnt\\system32
Delete the file nx.exe from the C:\\winnt\\system32 folder (if this file isn't there, that's OK, Norton's already deleted it)

Restart the machine in standard mode and run a full Norton antivirus scan to make sure that it is no longer infected.

Install the Microsoft patch mentioned earlier in this document.
post #8 of 16
More techno babble to bore you with

It has been suggested that we set up a Bait and Tackle shop User Support that in specializes in fresh worms daily :-)

Actually the viruses have pretty much been under control today.

** W32.Welchia.Worm
- Much of the Welchia computer worm activity has subsided. However, we are still finding individual computers with infections. In those cases we are disabling their network connections and sending support staff to assist them.

- The computer network was tightened down to reduce the spread of Welchia. Those restrictions are continuing to be relaxed as it is deemed prudent. We have not had problems logging onto Windows and Outlook today.

- We believe that most D-H standard PC's are currently protected against this virus.

- We are continuing to apply the Microsoft HotFix to close the door on this type of virus as we find exposed computers.

** W32.Sobig.F@mm

- Most of the emails generated yesterday emanated from 2 infected computers. However, hundreds of recipients opened the enclosures and got infected. Fortunately those recipients did not have many names in their Outlook address book and did not propogate the virus further.

- We had one computer get infected with sobig at about 1:00 pm today. It sent out numerous virus laden emails that showed DHMC staff in the [From] field. We are not aware of any secondary infections from that incident.

- We believe that most D-H standard PC's are currently protected against this virus.

- We continue to get infected messages from outside of our network.

- Please do not open any enclosures with; .dbx, .eml, .hlp, .htm, .html, mht, .wab, .txt, .pif or .scr extensions unless you are positive of its authenticity.

** General Suggestions

- Do not take email header information as fact. It can be spoofed by virus's and hackers.

- Update Windows on your home and personal computers regularly. You can find out more about Windows updates by going to: <http://www.microsoft.com/downloads/u...displaylang=en>

- Symantec has a good site where you can get the Windows Updates to protect you from the Blaster and Welchia worms. <http://securityresponse.symantec.com...tent/8205.html>

- Make sure you have an Anti-Virus program at home. Update it daily or weekly.

- Be suspicious of all enclosures.

- Personal Firewalls are a good idea for anybody with a broadband Internet connection at home (cable or DSL). I'm sure that your favorite PC store or consultant could help you set one up.

- For more information, please go to the D-H intranet and view the NewsBeat articles.

- Feel free to contact the D-H Computer Help Desk at x5-2222 if you have questions.

post #9 of 16
Do not open any mail with these enclosures.

post #10 of 16
This has been headlines in the news over here, it's the fastest moving virus that we have ever been hit with, it started in the US.
post #11 of 16
Add .pif to that list. I got the virus in an email on Tuesday morning at work, but I know better than to open any attachments that I'm not expecting. Anyway, that's the type of file I got.
post #12 of 16
If your anti-virus software is up to date, it should catch and quarantine any nasties on the way in. Seems as if that is happening.

The other thing is really simple: never open an attachment -- regardless of the extension -- if it isn't something you were expecting to receive. These worms use the address books and email files of an infected system, and if your address is there, you get the nasty message. They also "spoof" the sender's name, so that nasty, when it comes in, could have your best friend's name in the "from" field. (If you really want to know what's in that attachment, send a message to your friend, asking if she/he sent you a message with an attachment. Only open it, if the answer is yes. Chances are they didn't, and you'll have saved yourself a whole lot of grief. It could just as easily happen the other way too: your friend gets the message, with your name in the "from" field.)

Oh, and about the anti-virus software, don't forget to run a whole system scan every so often. You should be able to schedule it to run on its own, at a convenient time.
post #13 of 16
I'm glad to hear there's an end date for this horror. I am protected but I get tired of deleting over 200 virus messages every day!
post #14 of 16
Originally posted by WellingtonCats
This has been headlines in the news over here, it's the fastest moving virus that we have ever been hit with, it started in the US.
Its on the news today - 1 in 16 emails sent have the worm.

My pc has airbags fitted - damned thing crashes that often.

post #15 of 16
I started getting them yesterday at work - I don't even want to turn on my home computer and check!
post #16 of 16
Thread Starter 
Attention Microsoft users- they have another one to add to the list- supposedly sent by Microsoft (it isn't) it "contains" a patch to download immediately. Don't download it- my friend did and now her computer is so hosed up it isn't funny! She called Microsoft to chew them out only to find out they knew nothing about it! The subject line is Install Immediately to end viruses.......
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: The Cat Lounge
TheCatSite.com › Forums › General Forums › The Cat Lounge › Does anyone have an answer to this email virus?