[Flash]

Right, i opened up an e-mail from my mums work collegue, it was a win zip file with a file format .pif inside it. I was asked to try and open it, at first i thought it was a Windows 3.1 format .pif so tried opening it.

I opened it, nothing happened. Me drive spun, as per but nothing happened. Btw, i had my Outlook open at the time.

Now, i open outlook to check my e-mails... I send/recieve and get an e-mail from my freind named 'application' same as the one i got form my mums work collegue. With the same file attached 'your_details.zip'.

I scanned with Norton and it picked up nothing (i have 2002 but not with updated definitions as i havent re-newed my subscription). Any ideas what this thing is?!

That actual filename in the .zip file is 'details.pif'.

Cheers, Flash.

[Flash]

I just searched my Hard Drive for any files named 'detail.pif'. I found one:

DETAILS.PIF-1AA87EDF.pf

Location: C:\WINDOWS\Prefetch

Size: 12KB

Type: PF File

Date Modified: 02/07/2003 15:32 (Today).

Hellllllllllp me

[C-Girl]

.pif? You utter dumbass ! Anyone who had barin doesn't open .pif attachments! youve landed yerself a virus, lemme see if i can look it up.

[zivan56]

http://www.symantec.com/avcenter/venc/data...son.c.worm.html might be the one...

[C-Girl]

You have sobig.e

http://www.europe.f-...s/sobig_e.shtml

[C-Girl]

Delete your address book, quick! ive just read it fowards it self on!

[C-Girl]

C-Girl, on Jul 2 2003, 04:24 PM, said:

You have sobig.e

http://www.europe.f-...s/sobig_e.shtml

Spreading in e-mails

The worm spreads itself in e-mails. The infected message is composed by the worm from different, randomly selected subjects, a fixed message body and different, randomly selected attachment names. The worm's file is sent inside a ZIP archive attached to an infected message.

The worm has the following subjects hardcoded in its body:


referer.pif
004448554.pif
re.document.pif
new_document.pif
submited.pif
Screensaver.scr
movie.pif
Applications.pif
Application.pif
Your application
Re: Re: Document
Re: Re: Application ref. 003644
Re: Documents
Re: Screensaver
Re: Submited (Ref: 003746)
Re: Movies
Re: Movie
Re: Application

The worm has the following attachment names hardcoded in its body. The worm's executable file name that is sent in an archive is given in brackets:


Movie.zip (Movie.pif)
screensaver.zip (sky_world.scr)
document.zip (document.pif)
application.zip (application.pif)
your_details.zip (details.pif)

However, so far we only saw messages with the following characteristics:

Subject:

Re: Application

or
Re: Movie

Body:

Please see the attached zip file for details.

Attachment:

your_details.zip

The attachment contains the worm's file with DETAILS.PIF name. The fact that the worm uses only 2 subjects and 1 attachment name indicates that the randomizing routine of the worm has a bug.

Here's a screeshot of an infected message sent by the worm:

[rik]

It's a W32.SOBIG variant...probably W32.SOBIG.E@mm

http://securityresponse.symantec.com/avcen...sobig.e@mm.html

Symantec does have a removal tol you can download...

[amdphr3@kXP]

yup, i got the same thing from an address that was supposed to be from microsoft. Luckily i read an article on neworder.box.sk on it the day before so i knew what it was . I got AVG atm and it lets worms thru, it sux

[C-Girl]

Palyh or something, right?

[XPerties]

On emax hosting mail I get about 4-5 of these a day. I am not infected but I still get the zip files. Delete Delete, all day long.

[Flash]

w00t, thanks guys and gals The virus gone Used that removal tool... The worm actually expires soon i think anyway, so i heard, lol...

Thanks anyways.

[C-Girl]

yeah, it doesnt expire, but it stops multiplying itself on the 15th of july

[gamehead200]

I get viruses in my e-mail everyday, but my virus scanner picks them up and deletes them...

I've gotten the SOBIG, the YAHA, the KLEZ, and the LOVELETTER viruses! All deleted!

[C-Girl]

ive got klez, yaha, bug bear, and palyh, the microsoft fake one. one was in a loveletter

'dear mary'
its john hre, hope you had great fun the other night on the beach strole...eh? lol

[Unwonted]

Isn't sobig.e set to stop working on July 12th?

EDIT: Whoops! Just read flash's post. He mentionted it.

[gamehead200]

HandyBuddy, on Jul 2 2003, 06:24 PM, said:

Isn't sobig.e set to stop working on July 12th?

EDIT: Whoops!  Just read flash's post.  He mentionted it.

Why exactly would someone want to make a virus that stops spreading on July 12th? People can just advance their clocks...Can't they?

[C-Girl]

but maybe thats what the virus makers expect... i got a free trail of something and had 23 days left set back my clock a week and when i went back to the trail it said it had expired :cry: lol

[Doggie]

i've yet to get a viruse on my machine..
my parents got a one from the dr denmark or something lol.. and it stuffed there hdd

[Flash]

Yeah, thats my first virus really, on this comp (had for over a year i spose).

On my old machine, thats another story, mostly hacks on that with my little hack wars, lol.