RE: Virus???

[pat_thaler@agilent.com]

Sobig is one of the viruses that does mass mailing with email spoofing. It choses any email addresses it finds on the host computer as both the from and to addresses on the infected emails it sends. The address in the From field of the message has nothing to do with the address shown as the source in the Internet Headers of the message.

Unfortunately, some virus filtering firewalls send an email to the innocent From address instead of being smart enough to realize that the From address was spoofed. 

Apparently, one or more machines with emails from the ips reflector to mine addresses from are infected which means that scads of emails are going out with to and or from fields of ips reflector participants as well as whatever other addresses are on the infected machines.

The only thing that can be done about this is to correct the behavior of the systems sending the reject messages to the wrong address AND to clean the machines that are actually infected. Obviously, everyone should keep an up to date virus checker and not open suspicous messages. I am getting slews of the virus generated messages plus the firewall's misguided virus rejection messages.

Information on Sobig and other viruses can be found on the Symantec site (the company that does Norton Anti-virus). This must be the virus/worm of the day as it is on the home page. The sites example of email spoofing:
"W32.Sobig.F@mm uses a technique known as "spoofing," by which the worm randomly selects an address it finds on an infected computer. The worm uses this address as the "From" address when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to another individual.

For example, Linda Anderson is using a computer infected with W32.Sobig.F@mm. Linda is neither using an antivirus program nor has the current virus definitions. When W32.Sobig.F@mm performs its email routine, it finds the email address of Harold Logan. The worm inserts Harold's email address into the "From" portion of an infected message, which it then sends to Janet Bishop. Then, Janet contacts Harold and complains that he sent her an infected message; however, when Harold scans his computer, Norton AntiVirus does not find anything, because his computer is not infected."

-----Original Message-----
From: Lakshmi Ramasubramanian [mailto:nramas@windows.microsoft.com]
Sent: Friday, August 22, 2003 4:33 PM
To: ips@ece.cmu.edu
Subject: Virus???
Importance: Low


I am not sure if anyone else is receiving such mails - I am
getting about 1 or 2 emails an hour (like the one given
below) since last evening. It says the originator 
is ips-outgoing@ece.cmu.edu

Can something be done about this?

thanks and sorry for the spam!
 -lakshmi

Incident Information:-

Database:   e:/lotus/domino/data/mail.box
Originator: ips-outgoing@ece.cmu.edu
Recipients: OnlineStore@BestBuy.com
Subject:    Re: Thank you!
Date/Time:  08/22/2003 11:19:15 PM

The file attachment your_document.pif you sent to the recipients listed
above was infected with the W32/Sobig.f@MM virus and was successfully
cleaned.