FTR - ZoneAlarm does have functionality to screen e-mails for viruses. May only apply to the “Pro”, i.e. non-free version though.
I have received 47 such e-mails since Tuesday. Oddly enough, judging by several returned mail notices, I appear to be spreading the virus, despite:
(i)Not opening any attachments
(ii)Not using outlook express
(iii)Being behind a firewall
The worm forges the From: address on emails it sends, so it’s likely that you are receiving returned mail notices for messages that were really sent from another machine. You can make sure you’re not infected by running HouseCall or the pandasoftware scanner sailor posted.
Warlord, the Sobig worm spoofs the return address, so when computer A sends a worm message to computer B, it puts computer C’s return address on it. It gets C’s address from A’s address book, store of old e-mails, and/or browser cache. So the fact that people get the worm with your return e-mail address is no indication that you have it, but it is an indication that someone you both know has it.
Also, items (ii) and (iii) on your list are of no help against Sobig. It doesn’t exploit a problem with OE, it exploits users who run unchecked attachments from any mail client. I guess a firewall could help if it notifies you after you’ve been infected that something is trying to send e-mail with SMTP, but I’m not sure whether most firewalls do this - they’re more concerned with incoming traffic.
What I always coach people to do is to not open any e-mail attachment, unless it’s one they know is safe such as .jpg, without first contacting the sender and asking whether that person actually intended to send you the attachment.
The operating systems that I am familiar with all will allow code to open internet ports. I am not sure what your point is here.
I do not understand very well why people warn (only or mostly) about not opening attachments from people “you don’t know”.
Ahem. . . .
As has been said, email sender’s address can easily be spoofed. And, even if a friend really sends you something it does not mean he is not unwittingly sending you something infected with a virus.
I do not trust anything which could carry a virus, no matter who sent it. Friends can be infected and not know it. I check and double check. It’s the only safe thing to do.
RealityChuck
How about Microsoft’s ‘brilliant’ idea to hide file extensions as the default choice ? Or we shouldn’t blame Microsoft for that either ?
I think that the original point is that the Sobig-carrying attachment must be manually opened by the recipient, regardless of what it does afterward. It does not autoexecute like Klez due to an unpatched security flaw.
Code, yes. But unless I am drastically mistaken (which is always a strong possibility), to open a port and act as a deamon, code on unix would have to be run as a priviledged user (or administrator on the mac). So arbritrary code, no.
Granted, on a desktop machine the user may well have root access, but they’ll still be prompted to authenticate if they want to install software that opens ports, no?
Something that a lot of people don’t get is just how ingenious SoBig is on the annoyance factor. It’s essentially a replicating mass mailer; a high speep, particularly annoying one. A good DSL connection can send out over ten thousand messages containing the bug in an hour. And all of those are being sent to (and with faked from) name that’s culled from just about any file on their computer.
Think about the scale of damage one infected computer can do and multiply that by millions. Each infection is no big deal by itself but the cumulative collateral damage they cause is astronomical. I can just look at the messages in this thread that mention how often they’re recieving it or getting responses that say they’re sending it by poorly thought out autoresponses. The volume of noise it’s generating is grinding many people’s e-mails to a halt. For a virus that Symantic has only rated as a level 3 threat it has the most far reaching, damaging consequences I’ve ever seen.
Uh… and what does this have to do with anything? It’s not like they make it particularly difficult to change settings (and let’s face it… if you don’t go through your OS and customize the settings to your own preferences, you’re precisely the kind of person that would prefer to hide the file extensions).
Incorrect. Any program can start listening on a port, which is how it should be.
Think of the common protocols that use incoming connections: FTP, AIM (direct connections), IRC (ident and file transfers), P2P file sharing, online games (to host a game). It wouldn’t make sense to require you to be logged on as root or Administrator to run those.
You may be thinking of the “privileged” ports below 1024, which only root can use. That limitation is becoming outdated, though, now that everyone has his very own computer. Even if Windows only allowed Administrator to use ports below 1024, the worm could just listen on port 1995 instead of 995.
Absolutely. But what puzzles me is that the anti-virus scanners installed at many ISPs don’t seem to know this. So I get a dozen bounced messages a day telling me that they don’t accept mail with certain kinds of attachments. Some of the boiler-plate text is even insulting. But I didn’t send it, someone else did and used my return address!
This just adds to the problem, since the scanner at my ISP lets these through just fine. So for every sobig email generated which gets blocked, one additional message gets generated by the scanner in its place. Someone needs to get a clue.
And Sailor, I echo your sentiments about not using a virus scanner as part of a PC’s system. I’m smart and hip enough to recognize most of the common virus sigs – at 55/hour, the sobig.f was pretty obvious – I have file extensions showing, PIF & SCR execution turned off, etc., etc. and have never yet been infected. And Norton & MacAfee interfere terribly with the computer functions I want to use and I don’t need one more crap piece of software mucking up my system.
I sometimes run a full system scan using the free tool at antivirus.com, and the only things it finds are files that I deliberately save as “bait” in a special folder for viruses.
But I find it difficult to recommend to Average Joe to go bareback without a virus scanner in place. There’s no way AJ can absorb my (or your) knowledge and keep up with the latest trends, so I feel they must rely on an antivirus package and keep it up to date.
I get it alot these days, but they come as PIF files, which my computer sees as MSDOS prompts & my scanner won’t scan MSDOS prompts…
" why are people on unpatched M$ systems still opening unrequested, unexplained file attachments, particularly those with questionable file extensions?"
Wouldn’t it be more logical to wonder why the richest person in the world can’t make software that’s secure? I have email software that’s not affected by worms.
This is all well and good if your internet connection is up and running. However, you’re screwed if a virus zaps your connection and you’re left with no means of cleaning it. As an added layer of protection to web-based virus scans, allow me to recommend the F-Prot Antivirus for DOS. You can make a DOS boot-disk to thoroughly scan your system without running any windows services at all. I make regular, updated boot disks and run regular overnight scans in DOS just to be on the safe side.
Oh really? This is a relief (for myself I mean, not for whatever poor sucker has this).
I have the vaguest notion of what a firewall is, but I certainly never open suspicious attachments of any kind. Also I ran two different virus checks and both came out negative. So I was a little puzzled as to why I kept getting about eight or nine “WARNING, YOU HAVE A VIRUS” or “Returned mail: Forbidden file type” messages from people.
I have been getting emails from “Mail Administrator” with the subject “Mail System Error-Returned Mail”. Is this due to the virus?There is an attachment (unopened!), and the message says that it was not able to deliver an outgoing email. However, I never sent an email to the address noted. Any ideas out there? I’m using a computer at the public library when this happens.
I only had it sent to me once - (though it kept going through one mailing list that I’m on about 30-something times, that list strips attachments.)
Strangely, it was from someone I had earlier sent an email to, requesting further explanation and information about something. I was expecting a reply, one labeled “details” wasn’t entirely out of the question. I was at work, so I needed to use Outlook. The virus scanner mandated by work (McAfee - which is what took down my last home computer, but it did take the time to run everything slowly while failing to catch any viruses.) didn’t catch it.
Had I been slightly more absent minded, I would have gotten it.
I’m sure there’s a lot of people out there like me who were distracted enough to get it.
I’m sure there are also those who are oblivious to the whole idea of a virus.
I still do not see where microsoft is at fault with this particular worm. A computer that does not execute programs that the user tells it to execute is not particularly useful. I really do not look forward to a time when these secure computing initiatives being put foreward by various companies take hold. Computers will loose a lot of their fun and usefulness if the only programs that can be executed are programs that have been signed by somebody like microsoft or verisign.
Not the original poster but on Unixlike OS only root (the admin) can open ports under 1024. Not that that would have stopped something like this. Any user can open 1025 and above.
I am still amazed that people running windows will open any .doc, .exe, .pif, .com, .scr, etc files without scanning them first.