Tech2Hire.com

.
Tech2Hire Tips & Tricks
by Gregory Tang
.

08/20/03: The 'SoBig' (W32/SoBig.F@MM, Sobig-F) e-mail worm has run amok on the internet. We have received hundred of e-mails from people who have been infected and have been working with various providers and administrators to help locate and remove this virus from people's machines. This is already becoming a MAJOR problem and becoming one of the fastest growing worms in history.
E-Mails which come from someone who's infected potentially look like they are being sent from someone you know. This is NOT the case. Some news reports indicate to prevent infection, never open an e-mail that comes from someone you don't know. Well, this is the 'social engineering' trick these worms use. They do what is called 'SPOOFING' and take from your contact list, local files or your browser cache names and e-mail addresses and make them the SENDER or RECEIVER so it may appear the e-mail is from someone you know. This worm specifically looks for files on your PC with .dbx, .eml, .hlp, .htm, .html, .mht, .wab & .txt and sends out files with either a .PIF or .SCR extenstion.
What Can you do?

Install ANTI-VIRUS SW on your PC, Gateways and Proxy Servers. Software that AUTOMATICALLY UPDATES itself is very worthwhile since many virus occur very quickly and vendors will often add a AV definitions/patches hours or just days before it becomes rampant. SoBig-F was added automatically to our AV SW prior to 8/19.
NEVER, EVER, OPEN an ATTACHMENT if you weren't EXPECTING it in the first place. Even then, anything that is an .EXE, .PIF, .HTML or .COM should be VERY SUSPECT. If you have good up-to-date anti-virus software you shouldn't have to worry as much since the virus should be removed before it reaches your mailbox.
If using a local area network, make sure some sort of ANTI-VIRUS software is installed, preferably on your Internet Gateway or Proxy Server as well as on your SMTP Gateway or server.
Make sure, if you maintain an SMTP server, it cannot be used as an 'OPEN RELAY' where others can funnel mail through it obfuscating the IP trace of where the mail is coming from.
If your network or PC is infected, disconnect it from the network and internet, then download and run immediately (preferably from a 'clean PC') the latest anti-virus software. Run it on every PC on the network. This should be standard operating procedure and scheduled maintenance as well.

Network Administrators we've contacted are looking at their E-MAIL (SMTP) servers and trying to block this on their end (which is still good to PREVENT RECEPTION from users sending you this worm). However, this worm does NOT use your SMTP server to SEND since it makes the infected PC its OWN SMTP Mail Server and will send mail directly from that PC to the internet bypassing the traditional e-mail path.
Articles & Fixes:

UNDER F-SECURE RADAR...Currently the most widespread worm in the world...

Finding ADWARE, MALWARE, SPYWARE and DATA-MINING 'programs' on your PC – Everytime you surf the net.you run the possibility of having your PC 'infected'. Anti-Virus software from all the leading vendors (McAfee, Norton/Symantic, TrendMicro, ...) do NOT find these programs as they are not 'programs' per say, but, registry settings and various browser-based cookies and routines that are not classified as viruses or worms. Many of these routines are DATA-MINING routines and will track where you go on sites, collect various personal information and e-mail addresses and will send this information to a website where it may be used for further marketing or SPAM. In the worse case MALWARE will actually act like a virus and potentially make changes or cause harm to your PC or operating system. Many of these programs actually add Windows registry settings on your computer as they are 'installed' and are constantly running in the background taking up bandwidth and slowing your PC down. You can find and remove these programs and like anti-virus they can be downloaded for free off the net.

.
CONTACT US HERE
FOR MORE INFORMATION

Info@Tech2Hire.com / 207.223.0070
Tech2Hire, 28 North Searsport Road, Frankfort ME 04438