Published July 21st, 2003 by Jim O'Halloran
Sobig Virus Analysis
The first part of this analysis looks at the original Sobig virus and how it infects its hosts.
Viruses sometimes leave backdoors, also known as “trojans” on systems they infect; this is nothing new. The idea is to give the virus writer control over a large quantity of infected computers, establishing a virtual army of computers to do his or her bidding. The author of the virus discussed in this paper had a different idea: using a virus as the delivery mechanism, install anonymous proxy servers on thousands of computers worldwide. Instead of seeking to control the hosts, the virus author merely intended to establish a network of relay points through which they could direct their own connections, concealing their true origin wherever they went on the Internet.
While the second part looks at the evloution of the worm into its .e variant.
This paper concentrates on the differences between the original worm and the incarnations since that time. The information in these two papers is the result of months of first-hand investigation into the Sobig worm family by LURHQ
One of the nastier things about Sobig is that it installs an open proxy server which is then exploited to send spam. Nice!
Cassandra Says
Hi, recently I’ve been bombed by emails everyday with the sobig virus in it. These are the addresses. I don’t know who to report to. Here is one of the bastards!! btoliver@socket.net
Whoever this asshole is I hope the fleas of a thousand camels infest upon his armpits!!!!
Aug 21st, 2003 at 6:50 am
Jim O'Halloran Says
We’ve been bombarded by the Sobig.f variant for the last 24 hours… The problem is that the From: address on the email is faked, so replying to the emails you receive achieves nothing. Whoever wrote this thing should be shot… Twice… Slowly.
Jim.
Aug 21st, 2003 at 8:36 am
Bebe Rebozo Says
I’m not dumb enough to open a Sobig attachment, but I still APPEAR to be an idiot to anyone who gets a Sobig e-mail with my address FAKED as the sender! What can I do? I keep getting messages “returned as undeliverable” which I never sent in the first place!
Aug 21st, 2003 at 1:44 pm
Jim O'Halloran Says
Unfortunately there is nothing that you can do about it.
Jim.
Aug 21st, 2003 at 1:49 pm
Allison Says
I got the virus and removed it - so says several scans. I am continuing to get bombarded with emails many of which look like came from my address book. Did I really get rid of it or am I still experiencing the effects of having it?
HELP!!!!!!!!!!!
Aug 22nd, 2003 at 11:08 am
Bebe Rebozo Says
The frustrating thing about this virus is that even though I’ve cleaned my machine, I still get bombarded with dozens of virus e-mails every day (not to mention the e-mails accusing ME of spreading the virus) and there’s no way for me to know which one of my e-mail acquaintances is infected because the senders are faked!
I think I read that this virus is internally set to stop sending e-mails on a specific date. Is this true?
Aug 23rd, 2003 at 3:17 am
Jim O'Halloran Says
Yes, I seen several reports that say the current (.f) variant will stop spreading on September 10th.
Jim.
Aug 25th, 2003 at 8:51 am
Joe Says
So if it will stop spreading on september 10th…why not change the times on the computers a few weeks ahead…and when sepetmeber 10th comes and goes….correct the time?? Or am i missing something>?
Aug 26th, 2003 at 2:19 am
JOe Says
the posted time is nmot right right.. it was posted on 8-25-03 at 12:51 eastern
Aug 26th, 2003 at 2:21 am
Jim O'Halloran Says
Joe,
For most businesses, changing the date is just not an option because it means that Invoices will be issued with the wrong date, accounting periods will be stuffed up and reconciliation becomes very difficult. For most home users though, there wouldn’t be a problem with doing that.
Jim.
PS: The server is in Adelaide, South Australia, and the posted time reflects the time in Adelaide when you posted the comment. My servers all synchronise their time to a an accurate time source using NTP, so I’m sure that’s the right time.
Aug 26th, 2003 at 8:32 am