[clug] port 80 probes
ian.matters at iristech.com.au
Wed Aug 20 21:28:07 EST 2003
Read the following:
A U S C E R T A L E R T
AL-2003.14 -- AUSCERT ALERT
Mass-mailing virus/worm W32/Sobig.F-mm
20 August 2003
There is a new variant of the mass-mailing W32/Sobig virus known
as W32/Sobig.F-mm. Sobig.F-mm possesses a mass-mailing capability,
attaching itself to messages, and has the ability to propagate via
network shares similar to Sobig.E reported in AusCERT update
International reports indicate that Sobig is propagating rapidly.
Email infected with Sobig.F will have a spoofed "from:" address,
making this identification of the message origin unreliable.
Sobig.F messages may have one of the following subjects:
Re: Thank you!
Re: Re: My details
Re: Your application
Re: Wicked screensaver
Re: That movie
Sobig.F attachments have a random name, chosen from this list:
The message may have one of these lines as its content:
Please see the attached file for details.
See the attached file for details
This variant of Sobig is coded to stop replicating as of 10th
When possible, upgrade all anti-virus software to use the latest
definition files as soon as they become available.
Ensure that all network file shares are disabled unless necessary
and if possible ensure that active shares are password protected.
AusCERT advises members to disseminate and take action on this
information to prevent any undesirable activity by this virus
within their sites.
AusCERT has produced an article "Protecting your computer from
available at http://www.auscert.org.au/3352
The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication.
However, the decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation\'s site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
AusCERT maintains a World Wide Web service which is found on:
Internet Email: auscert at auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Australian Computer Emergency Response Team
The University of Queensland
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Auscert-public mailing list
Auscert-public at anu.edu.au
At 08:14 PM 20/08/2003, you wrote:
>What's the deal with the flood of port 80 probes I am
>seeing for the last two days? about 2400 so far since
>the morning of the 18th. It was rather quiet for the
>earlier part of the week.
>Eyal Lebedinsky (eyal at eyal.emu.id.au) <http://samba.org/eyal/>
More information about the linux