Virus & Security

Free Anti-Virus Software

Free Virus Scans & Info

Articles

SoBig Virus - Beat the E-mail Bug

SoBig is a virus program that runs on an infected computer. A computer can be infected via an email attachment. The information below is representative of DOZENS upon DOZENS of viruses detected since SoBig was detected in January, 2003. This information, although it is several years old, may help explain many of the current suspicious e-mails you've been receiving lately.

HOW SOBIG WORKS

Once SoBig is running, it scans your hard drive for email addresses. This can be anyones email address, not just yours. It doesn't just look in your address book but also any web pages that are stored on your hard drive.

A goldmine of addresses is usually gathered from the browsers folder of recently viewed pages pages - in Internet Explorer that's the Temporary Internet Files folders.

The important point is that email addresses are stolen from all sorts of places on a computer.

Once SoBig has those addresses it starts sending out infected email messages. See 'The Infected Email Message' below for details.

Those infected messages are marked as coming

FROM: one of the stolen email addresses
TO: another of the stolen email addresses

Vital Point: The message will almost invariably NOT really come from the email address shown.

Don't blame the apparent FROM email address in an infected message - not only is the person probably not infected, they are totally unaware that a message has been sent in their name.

There's no practical way to trace the source of the infected messages, at least not for those of us who don't do anti-virus tracking for a living. In the current attack the messages may well be coming from multiple sources.

SoBig uses it's own SMTP server to send out infected messages which means you don't have to have a email program running and it is harder to trace the source of infection.

The best thing you can do is delete the infected messages and make sure you are not infected yourself.

The worm itself isn't new, but this is a new variant on a known baddie.

THE INFECTED EMAIL MESSAGE

SoBig infected messages have several characteristics that can help
identify them both manually and by spam filters.

The messages also have one of these subject lines:

> Re: Details
> Re: Approved
> Re: My details
> Re: Thank you!
> Re: That movie
> Re: Wicked screensaver
> Re: Your application
> Thank you!
> Your details

Of course, you could get legitimate emails with these subjects, which is why they are used.

Trapping for the infected attachments is a more reliable method in the long run. Sadly not all mail filters have this feature (hello Microsoft) even though it is obvious and would be really useful.

The messages all have an attachment with one of these names:

- your_document.pif
- document_all.pif
- thank_you.pif
- your_details.pif
- details.pif
- document_9446.pif
- application.pif
- wicked_scr.scr
- movie0045.pif

If your mail filter can do it, trap for ALL .PIF and .SCR files and delete the messages. It's unlikely that anyone sensible would be sending out messages with those attachments - at least not these days.

STOPPING THE SOBIG TSUNAMI

But you already have a mailbox full and beyond with infected messages - what do you do?

The problem is not just the number of message but also their size - even with a broadband connection it can take a long time to grab all the messages.

In situations like this it's best to delete the messages directly from your ISP or company mailbox before you download them to your email client.

There's various ways you can do this, depending on how your email is setup, who hosts it, and what email program you use. So we can only give general advice, not specific info.

Here's some options:

WEB BASED EMAIL

Most email boxes have a web based option for you to access it via any web browser. Most ISP's have or should have this service. Companies using Microsoft Exchange Server probably have Outlook Web Access running.

Check your ISP's customer info pages for details. The name of the service can vary but it's usually called 'Web Mail' 'Mail from the Web' or something similar. (usually it's the same login name and password as your email program uses to grab mail)

Inside a company, check with your IT department - though you'd hope the IT manager would be stopping infected messages before they hit your Inbox.

Once you've logged into your mail account via the web look through the Inbox and delete any SoBig messages. They'll be pretty easy to spot from the Subject lines listed above.

Most webmail systems have check-boxes next to each message, you can click the box then choose a 'Delete selected messages' option. If you're mailbox is clogged it may be easier to use a 'Select All' then DEselect the messages you want to keep.

Once you've done that, you can start your mail program and grab the remaining, wanted, messages as usual.

WEB2MAIL

If your mail account does NOT have webmail support, you can try web2mail.com -- this provides webmail support for any POP account. All you do is give it your email address and password and it will figure out the rest.

REMOTE MAIL

Outlook has a little used, Remote Mail or Download Headers Only feature. We won't go into detail here, suffice it to say that Remote Mail grabs only the mail header for each message, and lets you decide what messages to fully download or delete on the mailbox.

WebMail is easier to use these days, but if that is not available look for Remote Mail or Headers in the online help.

SIDE-EFFECTS OF SOBIG

As well as Sobig infected messages you may be seeing mysterious messages in your mailbox. These are automated responses to messages that Sobig has sent, supposedly coming from you.

In other words, on an infected computer, Sobig has found your email address and is sending out messages with your address as the FROM.

As a result you may get automatic responses from systems setup to respond to the message 'you' sent. Even though it didn't really come from you, the receiving computer doesn't know that.

While you can trap and delete the infected Sobig messages themselves, there's no way to reliably identify these side-effect messages except look at them yourself.

The infected message may well go to someone you've never heard of, because it's just another address stolen from the infected computer.

Most common responses you may get are 'Out of Office' or 'Vacation' replies, also 'Unknown receiver' if the TO address is old, 'Over quota' or 'Full Mailbox'. Any of the standard, automatic responses could come to you even though you really didn't send the message in the first place.

FULL MAILBOXES

With so many infected messages going around you might find that an
email you send is bounced because the receivers email box is full.

Nothing much you can do except wait and try again later, unless you
have another way to contact that person and warn them.

SLOW MAIL

Some mail systems, especially in companies, have slowed to a crawl because the mail server is trying to cope with the large volume of mail.

Again, not a lot you can do but wait. If you're sending an urgent email, you might want to phone the receiver to make sure they got it.

STANDARD PRECAUTIONS APPLY

You should have good and up-to-date anti-virus software.

Any of the major anti-virus packages are OK.

Get anti-virus software, install it, keep it updated and run it regularly.

Up to date is VITAL. There's no point in having anti-virus software with old virus information. These days 'old' can mean last week.

Grab the latest updates (there may have been one in the last 12 hours). In Norton products the 'LiveUpdate' option will handle this. Other products have similar options.

After you have the update, scan your entire computer just to make sure that you are not infected with SoBig yourself.