What the hell is going on - SOBIG.F

[Gerry Doris]

On Sun, 31 Aug 2003, Bill Campbell wrote:

> On Sun, Aug 31, 2003, Gerry Doris wrote:
> >I have received several emails infected with Sobig.F supposedly from 
> >the list as well a pile of notices from various list members that they 
> >received infected messages.
> 
> Most of the e-mail worms that attack the Microsoft virus, Windows forge the
> headers so they appear to some somebody other than the real sender.
> 
> I'm getting a fairly large number of virus notices from brain-dead virus
> scanners addressed to bill at Celestial.COM (not the capitilzation) saying
> that I sent them a virus.  The only place my e-mail address appears
> capitalized like that is in the signature block of my e-mails or perhaps in
> some rather ancient usenet news postings (at least 10 years old).  I don't
> do e-mail on any Windows machines, and never have.  The only times I've
> ever run OutLook has been to go through the menus to figure out how to
> specify server addresses, and once to see how Caldera's Volution Messaging
> System's one-click configuration worked.
> 
> My guess is that the volume of mail messages from the so-called virus
> scanning software to the forged sender addresses probably is greater than
> the volume of actual worms.
> 
> Bill

I believe that Doug is using ClamAV to scan the list messages.  I'm using 
ClamAV as well as F-Prot and TrendMicro.  Only F-Prot and Trend are 
picking up this variant of Sobig.F for me.  ClamAV seems to be missing 
them.

I even tried scanning my quarantine directory and ClamAV still misses the 
virus.  Yes. I'm using the latest ClamAV signatures.

I suspect these virii are coming through the list.  I could be wrong since 
Sobig forges the headers but I think they're slipping through.

-- 
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer