I think i have a Virus :)

[Flash]

Right, i opened up an e-mail from my mums work collegue, it was a win zip file with a file format .pif inside it. I was asked to try and open it, at first i thought it was a Windows 3.1 format .pif so tried opening it.

I opened it, nothing happened. Me drive spun, as per but nothing happened. Btw, i had my Outlook open at the time.

Now, i open outlook to check my e-mails... I send/recieve and get an e-mail from my freind named 'application' same as the one i got form my mums work collegue. With the same file attached 'your_details.zip'.

I scanned with Norton and it picked up nothing (i have 2002 but not with updated definitions as i havent re-newed my subscription). Any ideas what this thing is?!

That actual filename in the .zip file is 'details.pif'.

Cheers, Flash.

[Flash]

I just searched my Hard Drive for any files named 'detail.pif'. I found one:

DETAILS.PIF-1AA87EDF.pf

Location: C:\WINDOWS\Prefetch

Size: 12KB

Type: PF File

Date Modified: 02/07/2003 15:32 (Today).

Hellllllllllp me

[AlmondScar]

.pif? You utter dumbass ! Anyone who had barin doesn't open .pif attachments! youve landed yerself a virus, lemme see if i can look it up.

[zivan56]

http://www.symantec.com/avcenter/venc/data...son.c.worm.html might be the one...

[AlmondScar]

You have sobig.e

http://www.europe.f-secure.com/v-descs/sobig_e.shtml

[AlmondScar]

Delete your address book, quick! ive just read it fowards it self on!

[AlmondScar]

You have sobig.e

http://www.europe.f-secure.com/v-descs/sobig_e.shtml

Spreading in e-mails

The worm spreads itself in e-mails. The infected message is composed by the worm from different, randomly selected subjects, a fixed message body and different, randomly selected attachment names. The worm's file is sent inside a ZIP archive attached to an infected message.

The worm has the following subjects hardcoded in its body:

referer.pif

004448554.pif

re.document.pif

new_document.pif

submited.pif

Screensaver.scr

movie.pif

Applications.pif

Application.pif

Your application

Re: Re: Document

Re: Re: Application ref. 003644

Re: Documents

Re: Screensaver

Re: Submited (Ref: 003746)

Re: Movies

Re: Movie

Re: Application

The worm has the following attachment names hardcoded in its body. The worm's executable file name that is sent in an archive is given in brackets:

Movie.zip (Movie.pif)

screensaver.zip (sky_world.scr)

document.zip (document.pif)

application.zip (application.pif)

your_details.zip (details.pif)

However, so far we only saw messages with the following characteristics:

Subject:

Re: Application

or

Re: Movie

Body:

Please see the attached zip file for details.

Attachment:

your_details.zip

The attachment contains the worm's file with DETAILS.PIF name. The fact that the worm uses only 2 subjects and 1 attachment name indicates that the randomizing routine of the worm has a bug.

Here's a screeshot of an infected message sent by the worm:

[rik]

It's a W32.SOBIG variant...probably W32.SOBIG.E@mm

http://securityresponse.symantec.com/avcen...sobig.e@mm.html

Symantec does have a removal tol you can download...

[amdphr3@kXP]

yup, i got the same thing from an address that was supposed to be from microsoft. Luckily i read an article on neworder.box.sk on it the day before so i knew what it was . I got AVG atm and it lets worms thru, it sux

[AlmondScar]

Palyh or something, right?

[XPerties]

On emax hosting mail I get about 4-5 of these a day. I am not infected but I still get the zip files. Delete Delete, all day long.

[Flash]

w00t, thanks guys and gals The virus gone Used that removal tool... The worm actually expires soon i think anyway, so i heard, lol...

Thanks anyways.

[AlmondScar]

yeah, it doesnt expire, but it stops multiplying itself on the 15th of july

[gamehead200]

I get viruses in my e-mail everyday, but my virus scanner picks them up and deletes them...

I've gotten the SOBIG, the YAHA, the KLEZ, and the LOVELETTER viruses! All deleted!

[AlmondScar]

ive got klez, yaha, bug bear, and palyh, the microsoft fake one. one was in a loveletter

'dear mary'

its john hre, hope you had great fun the other night on the beach strole...eh? lol