Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-08-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SOBIG.F

Published: 2003-08-19
Last Updated: 2003-08-19 16:34:27 UTC
by Handlers (Version: 1)
0 comment(s)
A new variant of the SOBIG worm is spreading fast.

Best practice to do now:

- update anti-virus scanners, both on desktops,
servers and security perimeters

- communicate safe email handling instructions to all users
(do not open unsolicited attachments, no matter
how tempting the instructions or title are)

- block incoming UDP ports 995 - 999

- block outgoing UDP ports 8998

- monitor for outgoing UDP port 123 traffic (used by NTP clients as well)
for signs of infection
This new variant is rather successful at spreading.

Read more at:

http://www.sarc.com/avcenter/venc/data/w32.sobig.f@mm.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100561

http://www.sophos.com/virusinfo/analyses/w32sobigf.html

http://www.europe.f-secure.com/v-descs/sobig_f.shtml

Keywords:
0 comment(s)
Diary Archives