Web Hosting Services
Order Web Hosting
Web Hosting Tutorials
Web Hosting FAQs
Reseller Hosting
Web Hosting Affiliate Program

The Worm_Sobig.f Virus

20 August 2003

OK...this is the deal.

There is a very nasty virus slamming everyone right now. It contains a .pif file as an attachment and if you are running a PC and have opened it, just essentially toss out your machine. You will probably have to completely reinitialize your hard drive and reinstall everything to get rid of it. Macs are not affected at all (as he rubs it in...)

Now, here's the kicker...

No one using the PagePlop mail servers should have gotten an email with that virus. I have been blocking it since minutes after it was reported and am still blocking it. We are getting hammered with thousands of them every hour and blocking every one. There is an interesting twist to the spam filter, though.

When we block the file, we bounce it back to the original sender who promptly strips the file and sends back an error message of some sort because the original sender in most cases does not exist. The body of that email simply states "Please see the attached file for details." If you have gotten any of them it means that we have successfully blocked the original virus from getting to you. But a lot of folks have been getting tons of the bounce followups, so I have gone ahead and blocked the body string "please see the attached file" as well.

What that means is that the bounces are now getting blocked, but anyone trying to send you email with that phrase in it will also get blocked. Unfortunately, that may be a rather common phrase. Eventually I will take off that secondary spam block (while keeping the original virus block in place) but for the time being I am going to retain it because of all the problems it is causing.

So if someone complains, just tell them to take out that phrase for a week or two.

By the way, if you try to reply to this email and you leave the phrase in there, it will be blocked. :)

THIS IS IMPORTANT...

Even though we are blocking the latest virus (which, by the way, is called worm_sobig.f) you may still be able to get the virus.

Many of our users have their own POP mail boxes on our system. The sobig virus will not get into those boxes. But many other users have us forward mail to off-site POP boxes. If mail passes first through our servers, we are blocking the virus before we send it off. But ANYONE can send an email directly to that off-site POP box without it passing through our system and its filters.

THOSE EMAILS MAY NOT BE PROTECTED.

(Once again, this virus DOES NOT affect Macs, only Microsoft systems.)

To explain further how this works...

Say that virus@spammer.com is trying to infect you. He will send the email to your_name@your_domain.com and we will not deliver it to the your_name mailbox on our system. But let's say that we are forwarding your email to off-site@aol.com for example.

When the virus comes into your_name@your_domain.com, we block it and it never even forwards to your AOL account. But someone can send the virus directly to your account at off-site@aol.com and it may not be blocked since it does not come through our system.

The bottom line:

NEVER open any attachment that is a .pif file, .scr file, or any file that you are not absolutely sure of. And don't rest on the fact that you may know the sender.

The way this worm works is that it infects one machine running Microsoft Outlook and hijacks that machine's address book. It then replicates itself and sends an infected email to everyone on that address list. If you are in the address list of someone who has an infected machine, you are going to be sent the infected email.

There is another nasty catch with this one, though.

Whoever created it is using the techniques of spammers to infect as many folks as possible. What is happening is that someone has a CD with tens of millions of email addresses on it. They are then using those name to send the virus to everyone on that list (just like spammers do.) The intent is to infect as many machines as possible as quickly as possible without having to rely on the actual infection of Microsoft email clients and hijack of the address book to do the dirty work.

Again, be careful. This virus will propogate for months before it gets shut down, though the next several weeks will be the worst.

And if you want to get more info about the virus, check out http://www.cert.org/current/current_activity.html Then update your software and virus protection.

This is gonna be a long week...

Return to the News and Announcements Menu

 

       Home | Services | Order | Resellers | Affiliates | Server Status
       Tutorials | FAQs | Online Payments | About Us | Contact Us

Copyright © 2026 PagePlop.com Comments.