What the hell is going on - SOBIG.F

[Gerry Doris]

On Sun, 31 Aug 2003, Tim Wunder wrote:

> On Sunday 31 August 2003 1:32 pm, someone claiming to be Bill Campbell wrote:
> > On Sun, Aug 31, 2003, Gerry Doris wrote:
> > >I have received several emails infected with Sobig.F supposedly from
> > >the list as well a pile of notices from various list members that they
> > >received infected messages.
> >
> > Most of the e-mail worms that attack the Microsoft virus, Windows forge the
> > headers so they appear to some somebody other than the real sender.
> >
> 
> AFAICT, it's only forging the From: address. The "Received From" headers seem 
> to be unaffected, unless it's changed since it first came out...

snip...

Well, I guess if no one else has been seeing all these virii then the 
infected system(s) picked up my email address and is using the list as 
the source.

The messages claim to have originated at three separate sites

unmc.edu (University of Nebraska)
rackshack.net (?)
zusket.net (?)

I'm now dumping any messages from these three locations directly to
/dev/null and things have quieted down!

This is on my home system and I'm only using four boxes.  Three of these 
are running linux and the other is turned off.  The infection is not on my 
network.

-- 
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer