Full Disclosure mailing list archives

Re: Anybody know what Sobig.F has downloaded?

From: Tim Fletcher <tim () night-shade org uk>
Date: Sat, 23 Aug 2003 19:15:28 +0100

On Sat, 2003-08-23 at 18:55, Tim Fletcher wrote:

On Fri, 2003-08-22 at 21:33, Compton, Rich wrote:

As many of you know, the latest Sobig.F virus was scheduled to begin
downloading unknown code from various IPs at 3:00 EST today on UDP port
8998.  Does anybody have any idea what this code is?  Are the infected boxes
actually downloading code?  Does anybody have an infected Windoze box with
Sobig that can see what code was downloaded?


While this is 2nd hand I have now heard about the same effect on 2
different unrelated machines via friends on quakenet (irc)

<Mikeh> email from a m8
<Mikeh> got a bit of a prob
<Mikeh> with me pc, when i go online, after about a minute i get a
message saying
<Mikeh> "system is shutting down please save all work inj progress and
log off,
<Mikeh> system shut down was initiated by NT Authority/system.

This could be something totally unrelated but the fact I have now heard
about it from 2 people since last night of whom 1 was definitely
infected with Sobig.F I think their is code out there. 

Putting this together with the comments made on the list about traffic
on udp port 8998 to a different set of ips from some of the Sobig.F
infected hosts leads me to suggest that there is "something" going on
but as to what I have very little idea as my only windows machine is for
playing games on and so sees no email or direct net traffic.


I appear to be putting 2 and 2 together and getting 5 1/2 it's now less
clear (at least to me) if this is MSBlaster of Sobig.F 

Sorry for the additional noise

-- 
   Tim Fletcher 

                                     .~.
       tim () night-shade org uk        /V\      L   I   N   U   X   
                                    // \\  >Don't fear the penguin<
   irc: Night-Shade on Quakenet    /(   )\
                                    ^^-^^

Justice is incidental to law and order.
                -- J. Edgar Hoover

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Anybody know what Sobig.F has downloaded? Compton, Rich (Aug 22)
- Re: Anybody know what Sobig.F has downloaded? Dan Stromberg (Aug 22)
  - Re: Anybody know what Sobig.F has downloaded? KF (Aug 22)
- Re: Anybody know what Sobig.F has downloaded? Nick FitzGerald (Aug 22)
- Re: Anybody know what Sobig.F has downloaded? Tim Fletcher (Aug 23)
  - Re: Anybody know what Sobig.F has downloaded? Tim Fletcher (Aug 23)
  - Re: Anybody know what Sobig.F has downloaded? Michael Renzmann (Aug 23)
- <Possible follow-ups>
- RE: Anybody know what Sobig.F has downloaded? Robert J. Liebsch (Aug 22)