Norton just caught and quaranteened about 5 of these coming in...

W32SobigF@mm. Does anyone know what it is? I have Windows 98 (Outlook) Yeah, old pute I know.

Anyway I went to symantec to so what the thing was but couldn't find the virus. Could it be a varient of the "Blaster" virus?

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html

W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:


.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt

The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.


Email routine details
The email message has the following characteristics:

From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address, admin@internet.com, as the sender.

NOTES:
The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.

Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

Body:
See the attached file for details
Please see the attached file for details.

Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif


NOTES:
The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
The aforementioned de-activation date applies only to the mass-mailing, network propagation, and email address collection routines. This means that a W32.Sobig.F@mm-infected computer will still attempt to download the updates from the respective list of master servers during the associated trigger period, even after the infection de-activation date. Previous variants of Sobig exhibited similar behavior.
Outbound udp traffic was observed on August 22nd, coming from systems infected with both Sobig.E and Sobig.F. However, the target IP addresses were either not responding, taken offline, or contained non-executable content; that is, a link to an adult site.
W32.Sobig.F@mm uses a technique known as "email spoofing," by which the worm randomly selects an address it finds on an infected computer. For more information on email spoofing, see the "Technical Details" section below.

Symantec Security Response has developed a removal tool to clean the infections of W32.Sobig.F@mm.

Also Known As: Sobig.F , W32/Sobig.f@MM , WORM SOBIG.F , W32/Sobig-F , Win32.Sobig.F , I-Worm.Sobig.f

Type: Worm
Infection Length: about 72,000 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x

Boy, am i glad I've been keeping Norton updated!

I'm from Maine too (WTVL), and my place of business luckily missed the SOBIG, but we got CREAMED by the Master Blaster..

No one write virus's for MACs either? I thought they just didn't write shrinkwrap for it!

:)

typical apple marketing.

why bother writing viruses that only bother a couple of thousand people? it'd be like dropping a nuke on Iowa, sucks for the Iowans, but not quite the same effect as LA, right

Haven't seen you around, hope all is well.

:-)Everything is fine. I've been keeping myslef busy. We are remoldeling the House and things have been shere chaos around here.

view what viruses Norton caught? Do you mean the viruses Norton caught on your computer personally, or just Norton Utilities in general?

As the mail was coming in a big ALERT! box came up. It said what kind of virus it was & which e-mail, and gave me steps to quarenteen it (actually them-all 5)

I've got the Norton 'stoplight' system alert. Can I subscribe to alerts at Norton's website?