• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Sobig.F

#1
what is happening, this must be the worst week ever for viruses, is there a fix out for this one yet, or a belated patch from Microsoft?
 

Jewelzz

OSNN Godlike Veteran
#2
This was an email I received today about this worm

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use the Trend Micro System Cleaner.

MANUAL REMOVAL INSTRUCTIONS

Disabling the Malware Service

This removes the running malware service from memory on systems running Windows NT, 2000, and XP.

Open a command prompt window. Click Start>Run, type CMD and then press the Enter key.
At the command prompt, type the following:
NET STOP "Network Connections Sharing"
Press the Enter key. A message should indicate that the service has been stopped successfully.
Do the same to stop the following service:
NET STOP "WINS Client"
Close the command prompt window.
Removing the Malware Service

Restart your machine to terminate the malware service.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSetServices>
Still in the left panel, delete the subkeys:
RpcPatch
RpcTftpd
Close Registry Editor.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_MSBLAST.D. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Applying Patches

TrendLabs advises all affected users to apply the patches issued by Microsoft from the following page:

Microsoft Security Bulletin MS03-026


Microsoft Bulletin MS03-007>Microsoft Bulletin MS03-007


TrendLabs also asks users to filter access to port 135 and allow trusted and internal sites only.
RPC DCOM Buffer Flow Vulnerability Scanning Tool

TrendLabs advises users to download the scanning tool released by Microsoft that can identify host machines in the network that do not have the MS03-026 security patch installed.

This Microsoft Scanning Tool is available for download at: http://support.microsoft.com?kbid=826369.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.




For additional information about this threat, see Technical Details.
 
#4
This is what bothers me, I have all the recommended software, a good firewall, top notch AV protection, all up to date and MS automatic updates enabled, yet I still got the last one, whats next?
 
#5
Sobig does not use the DCOM expolit nor is a blaster varient. There is not patch as there is not security hole. This is just a mass-mailer that we should all be used to by now ;)

Keep your AV up to date and you should be fine against the mass of blaster varients doing the rounds.

Your AV protection may not be so top notch as it slipped in, what are you using?

Technical Details:

http://sarc.com/avcenter/venc/data/w32.sobig.f@mm.html

Something interesting to note:

"The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003."

Does Ad-Aware detect this? It's just yet another mass mailer, again why are the AAW team taking on worms? They are not a AV vendor.

Edit: I went and checked. The added detection for blaster was a one off due to the nature of the threat. AAW does not detect SoBig or any other worm it should not be used to verifiy a clean system.
 

Terrahertz

Extinction Agenda
Political User
#7
Yeah we got it here in a few machines at work. [people just like to open anything:confused: ] But symantec enterprise new updates found it and where now running the removal tools.
 
#10
Hardly, it detects one worm, has no sense of heuristics, has no runtime unpacker, cant prevent infection only detect and remove it.

A AV does the job of a AV. AAW detects adware and spyware and one worm, lets not mistake it for something its not.
 
#11
Ad Aware goes above and beyond what its supposed to be used for by detecting and cleaning the virus. I think AV companies need to be more efficent with their products is all.
 
#12
Above and beyond? It detects one worm and a couple of its variants! And it did not offer that until it was ITW.

Main stream AVs had detections out way advanced of AAW, in most cases same day or before it was highly distributed ITW.

My AV detects 72765 and has heuristics capability on-top of that, pretty efficient IMO.

Anyway my point was AAW is not intended to be used to remove viruses, its engine though capable of doing so was not built for it. Also it does not detect sobig.
 
#13
Originally posted by Enyo
And it missed it? :eek:
Thats right it missed it, it did however detect it AFTER I installed the Microsoft Patch, which was not installed on my machine even though I had automatic updates activated
 

Members online

No members online now.

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,960
Messages
673,237
Members
89,011
Latest member
grovo_test