[clug] port 80 probes

Ian Matters ian.matters at iristech.com.au
Wed Aug 20 21:28:07 EST 2003 

Read the following:

Ian Matters.
---
===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                         AL-2003.14 -- AUSCERT ALERT
                   Mass-mailing virus/worm W32/Sobig.F-mm
                               20 August 2003

===========================================================================


         There is a new variant of the mass-mailing W32/Sobig virus known
         as W32/Sobig.F-mm.  Sobig.F-mm possesses a mass-mailing capability,
         attaching itself to messages, and has the ability to propagate via
         network shares similar to Sobig.E reported in AusCERT update
         AU-2003.007:

                 https://www.auscert.org.au/render.html?it=3204

         International reports indicate that Sobig is propagating rapidly.

         Email infected with Sobig.F will have a spoofed "from:" address,
         making this identification of the message origin unreliable.
         Sobig.F messages may have one of the following subjects:

                 Re: Thank you!
                 Thank you!
                 Your details
                 Re: Details
                 Re: Re: My details
                 Re: Approved
                 Re: Your application
                 Re: Wicked screensaver
                 Re: That movie

         Sobig.F attachments have a random name, chosen from this list:

                 your_document.pif
                 document_all.pif
                 thank_you.pif
                 your_details.pif
                 details.pif
                 document_9446.pif
                 application.pif
                 wicked_scr.scr
                 movie0045.pif

         The message may have one of these lines as its content:

                 Please see the attached file for details.
                 See the attached file for details

         This variant of Sobig is coded to stop replicating as of 10th
         September 2003.

         Information
         -----------

         http://www.f-secure.com/v-descs/sobig_f.shtml
         http://vil.nai.com/vil/content/v_100561.htm#VirusInfo
         http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=49259
         http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100561
         http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.sobig.f@mm.html
         http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F
         http://www.sophos.com/virusinfo/analyses/w32sobigf.html
         http://www.messagelabs.com/viruseye/info/default.asp?tabIt=rep&virusname=W32/Sobig.F-mm 


         Solution
         --------

         When possible, upgrade all anti-virus software to use the latest
         definition files as soon as they become available.

         Ensure that all network file shares are disabled unless necessary
         and if possible ensure that active shares are password protected.

         AusCERT advises members to disseminate and take action on this
         information to prevent any undesirable activity by this virus
         within their sites.

         AusCERT has produced an article "Protecting your computer from 
malicious code",
         available at http://www.auscert.org.au/3352

- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication.
However, the decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation\'s site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.

If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:

         http://www.auscert.org.au/render.html?it=3192

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email: auscert at auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                 AusCERT personnel answer during Queensland business
                 hours which are GMT+10:00 (AEST).  On call after hours
                 for member emergencies only.

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBP0Ka7Sh9+71yA2DNAQGP3QQAjRaeyKsRIeFWagltR+099w5SwhTLsSmP
Fg+Bg8sXGP2IelVbSvHK1zGwVjDpNQcvVAk7wGDK0eyyTItZ3s6Db7mi4Ad4XgKi
YRE+ccZbe34E8hxDH6Gem11NqiVMVcfo2gvQZUHNBWM8LJbcdXEknWSSZTqf6+du
r32S3U9rzAg=
=JH9q
-----END PGP SIGNATURE-----
_______________________________________________
Auscert-public mailing list
Auscert-public at anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/auscert-public

---
At 08:14 PM 20/08/2003, you wrote:
>What's the deal with the flood of port 80 probes I am
>seeing for the last two days? about 2400 so far since
>the morning of the 18th. It was rather quiet for the
>earlier part of the week.
>
>--
>Eyal Lebedinsky (eyal at eyal.emu.id.au) <http://samba.org/eyal/>

More information about the linux mailing list