RSS/Atom feed Twitter
Site is read-only, email is disabled

W32/Sobig virus? [adrian@gimp.org: Re: Approved]

This discussion is connected to the gimp-developer-list.gnome.org mailing list which is provided by the GIMP developers and not related to gimpusers.com.

This is a read-only list on gimpusers.com so this discussion thread is read-only, too.

2 of 2 messages available
Toggle history

Please log in to manage your subscriptions.

W32/Sobig virus? [adrian@gimp.org: Re: Approved] A Guy Called Tyketto 05 Jun 00:29
  W32/Sobig virus? [adrian@gimp.org: Re: Approved] Raphaël Quinet 05 Jun 13:22
A Guy Called Tyketto
2003-06-05 00:29:11 UTC (over 21 years ago)

W32/Sobig virus? [adrian@gimp.org: Re: Approved]

It appears that someone (maybe on gimp-developer, maybe not) has been socked with the W32/Sobig virus/worm. It's similar to the KLEZ worm, but is a bit more picky. I've been getting a lot of messages like below, but since my main machine is a linux box, I'm not getting infected. Spamassassin is helping to find it, but thought everyone would want to know. From the NANOG mailing list:

--snip--

On 03.06 13:44, Dominic J. Eidson wrote:

I'm having a feeling that someone harvested a bunch of adresses, possibly from NANOG, and is using them as the sender address in pretend-to-be KLEZ spams.. I have received several bounces lately, several of them appearing to be KLEZ, all with me as the original sender ....

Just to add another data point:

The same thing started happening to me a few days ago. I do not know any of the recipients of the bounces but some people I *do* know advised me they are getting them. I cannot say whether this is really KLEZ or not, not enough data.

http://vil.nai.com/vil/content/v_100343.htm (W32/Sobig.c@MM) which is klez like in how it picks its targets.... Its been on a rampage since the Friday night.

--snip--

If you're on the list with your MUA being windows based, please visit the URL above, get info on the worm, and update your virus programs and mailfilters. Right now, I have virii and spam going to /dev/null, but brought this out to give everyone a heads up.

BL. ----- Forwarded message from adrian@gimp.org -----

From: To:
Subject: [Gimp-developer] Re: Approved Date: Wed, 4 Jun 2003 17:02:24 +0200 X-Spam-Flag: YES
X-Spam-Status: Yes, hits=5.5 required=5.0 tests=FORGED_MUA_OUTLOOK,MISSING_MIMEOLE,NO_REAL_NAME, RAZOR2_CF_RANGE_91_100,RAZOR2_CHECK version=2.55
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

This mail is probably spam. The original message has been attached along with this report, so you can recognize or block similar unwanted mail in future. See http://spamassassin.org/tag/ for more details.

Content preview: This is a multipart message in MIME format Please see the attached file. MIME-Version: 1.0 Gimp-developer mailing list Gimp-developer@lists.xcf.berkeley.edu http://lists.xcf.berkeley.edu/mailman/listinfo/gimp-developer [...]

Content analysis details: (5.50 points, 5 required) NO_REAL_NAME (1.1 points) From: does not include a real name RAZOR2_CF_RANGE_91_100 (1.2 points) BODY: Razor2 gives a spam confidence level between 91 and 100 [cf: 100]
RAZOR2_CHECK (0.9 points) Listed in Razor2, see http://razor.sf.net/ MISSING_MIMEOLE (0.1 points) Message has X-MSMail-Priority, but no X-MimeOLE FORGED_MUA_OUTLOOK (2.2 points) Forged mail pretending to be from MS Outlook

The original message did not contain plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor.

Content-Description: original message before SpamAssassin Delivered-To: gimp-developer@lists.xcf.berkeley.edu Delivered-To: gimp-developer@scam.xcf.berkeley.edu From:
To:
Date: Wed, 4 Jun 2003 17:02:24 +0200 Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
Subject: [Gimp-developer] Re: Approved X-BeenThere: gimp-developer@lists.xcf.berkeley.edu X-Mailman-Version: 2.1b4
Precedence: list
List-Id:
List-Post:
List-Subscribe: ,

List-Unsubscribe: ,

List-Archive:
List-Help:
Errors-To: gimp-developer-bounces@lists.xcf.berkeley.edu

Please see the attached file.

Gimp-developer mailing list
Gimp-developer@lists.xcf.berkeley.edu
http://lists.xcf.berkeley.edu/mailman/listinfo/gimp-developer



----- End forwarded message -----
Raphaël Quinet
2003-06-05 13:22:56 UTC (over 21 years ago)

W32/Sobig virus? [adrian@gimp.org: Re: Approved]

On Wed, 4 Jun 2003 15:29:11 -0700, A Guy Called Tyketto wrote:

It appears that someone (maybe on gimp-developer, maybe not) has been socked with the W32/Sobig virus/worm. It's similar to the KLEZ worm, but is a bit more picky. I've been getting a lot of messages like below, but since my main machine is a linux box, I'm not getting infected. Spamassassin is helping to find it, but thought everyone would want to know. From the NANOG mailing list: [...]
http://vil.nai.com/vil/content/v_100343.htm (W32/Sobig.c@MM) which is klez

[...]

The page linked from the message that you quoted contains this note:

* Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is likely not a pointer to the infected user.

It is also likely that the infected user is not a member of gimp-developer. As the worm scans the address books and all HTML and text files on the victim's computer, it is not hard to imagine that it could have found some GIMP-related addresses in the same file and sent a mail claiming to be from Adrian (or Adam, as in the last message) to the gimp-developer list. The victim can be any user of the Windows version of the GIMP (the worm would have found the addresses in the documentation) or any user of any version of the GIMP who was using a Windows PC for browsing some GIMP-related web pages (the worm would have found the addresses in the browser's cache). In any case, there is a rather low probability that this user is a member of this list.

And by the way, there are relatively few of these worm-generated messages that made it through the gimp-developer list. I assume that most of the messages targeted at this list were bounced to our dear list maintainer. I have seen many more worms going through the address bugs@gimp.org, for example (in the order of several dozens per day, although I did not count them).

-Raphaël