AOL users all over the world are waking up with joy after hearing "You've Got Mail!" and finding that not only do they have mail from a complete stranger but, IT HAS AN ATTACHMENT!

For More Details

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html

I have gotten over 150 of these so far today, the latest norton update will catch them.

I've gotten hundreds of these things today. There must be a lot of infected computers out there.

It takes a real idiot to spread this - not only do you have to unzip a zip file, then you have to run a .pif or .scr file! My biggest customer (a LAWYER) did exactly that today. Oh well, I smell $$$$$ tomorrow, this sucker looks for network shares so his server is gonna be infected.

I had four of them tonight when I got to work. This one seems to have taken a lot of Sys Admins by surprise, given where they were addressed from.

I have a client who got 150 of these in her inbox this morning. And although NAV caught it, she is frustrated with the thing. Any way to call the ISP to filter out these things? Ours is a local, not a national ISP. Do I have to call her back and say 'tough luck, you're gonna have to live with it'?

I checked her pc today as hers is the only one that e-mails. Soon as I turned pc on Zone Alarm asked permission for "winppr32.exe" to access the Net. I did a Google search for that and indicated the virus. She had been clicking yes. I ran AVG and found nothing. Got the updates, ran it again and found it, cleaned it,but it left 2 registry entries I had to delete. The following is from Trend Micro:

To remove the malware autostart entries:

1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Run
3. In the right panel, locate and delete the entry or entries:
TrayX = "%Windows%\winppr32.exe /sinc"
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
4. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Run
5. In the right panel, locate and delete the entry or entries:
TrayX = "%Windows%\winppr32.exe /sinc"
6. Close Registry Editor.

Just goes to prove that it doesn't matter HOW good an antivirus or firewall is - if the operator has their head up their @$$ it does no good.

Originally posted by glc
Just goes to prove that it doesn't matter HOW good an antivirus or firewall is - if the operator has their head up their @$$ it does no good.

. If you're making a back-handed gesture toward someone in particular, so be it. Anyway, the ZA on that pc has a bug anyway because it constantly asks for the OK to allow Netscape access, even though the normal stuff is checked. Reinstalled to no avail. After awhile a body simply ignores those pop-ups . I don't, you dont, but everyone is not as sharp as we.

I got about 40 of the things yesterday. All of the from lines were different, but I started looking at the headers (my ISP actually caught the infected messages and forwarded me the headers-God bless him.) All of them came from one law firm's server in St. Louis. I emailed the administrator (a lawyer I know who thinks himself a real tech head.) I got an automatic response telling me that I had to register before I could send him email (an anti spam defense.) I got on the phone and called. The lawyer was not available, so I told his receptionist she might want to tell him that somebody on his network was infected with Sobig F. She told me that they would look for him. Apparently I got his attention, I never got another infected email from that server.

A short time later I got an email from the treasury department telling me that they thought I had the virus. I didn't and don't but Sobig stickes addresses it finds in an infected computer's address book in the "from" line. My address was in the infected computer's address book. Hence all the emails with all the other lawyer type "from" lines.

Morals: (1) the name in the from line is not the source of the virus and (2) don't be afraid to look a little further, and tell somebody when you can figure out the source of the infection.

I got 423 between 4pm yesterday and 7 am today.
Picked up this litte app: http://www.bytegems.com/sobigstopper.shtml
Install it, set it to check all POP3 accounts, and let it run in the system tray.
Checks email every (specified) few minutes, and deletes all sobig worm messages from your mail server. No need to download all your mail, and remove them manually.

Well I guess that something had to pick up now that Klez has let up a little. Funny thing I have only recieved a handful here at work. I am really feeling left out.

I have never recieved a email with a virus attatchment, thats kind of odd.

My old Yahoo Email address gets hundreds of spam emails and viruses every day - I don't use it anymore. I'm a lot more careful about where I give out my e-mail address now.

I've gotten 50 or so sobig emails....

Sarge, I was referring to blindly opening attachments - ESPECIALLY ones that have a .pif, .scr, .exe, .vbs, or .com extension. New viruses will get past the e-mail scanner until the updates are published. Microsoft also should be shot for the default behavior of hiding extensions for known file types, that's why the virus writers use double extensions - remember the annakournikova.jpg.vbs virus?

thanks computer hobbyist with your info about the "from" line not neccessarily being who sent the message. i was getting some files that said they were from myself! ha, i just got another e-mail with the sobig virus while typing this out... lol.