Tech Alert Briefing for 8/22/2003
From Blaster to Nachi to Sobig -- More Havoc Predicted
Virus strains have turned more virulant in recent days as Blaster, then its socially engineered compliment Nachi, packed a second punch as it disguised itself as a fix to the Blaster or LovSan bug.Now Sobig, which earlier this week wreaked havoc on the Internet and has overtaken the Klez virus as one of the worst in history, stands to pack a second blast of ammunition.Anti-virus researchers have discovered that the Sobig worm is set to strike again at 3pm EDT today.
Computers infected with the Sobig.F virus are set to download an unknown executable file from one of 20 computers scattered across the Internet.The world-wide anti-virus community has been on a search to track down those computers and disconnect them from the Internet before the appointed hour strikes.So far, about half of them have been located and taken off line.
Security firm X-Force is recommending that systems administrators filter outbound UDP port 8998 for the following IP addresses:
67.73.21.6
68.38.159.161
67.9.241.67
66.131.207.81
65.177.240.194
65.93.81.59
65.95.193.138
65.92.186.145
63.250.82.87
65.92.80.218
61.38.187.59
24.210.182.156
24.202.91.43
24.206.75.137
24.197.143.132
12.158.102.205
24.33.66.38
218.147.164.29
12.232.104.221
68.50.208.96
Sobig.F uses a built-in SMTP engine to replicate itself by sending out infected emails containing copies of the virus.When a user opens the attached (pif or scr) executable file, the virus runs arbitrary code on the target machine.According to CERT, this worm can potentially compromise confidential information, or set up and run other services, such as open mail relays.
Anti-virus maker Sophos has released a Sobig.F disinfection tool on their web site.
Critical Patch Issued for Internet Explorer
If you are using Internet Explorer to browse the Internet, versions 5.01, 5.5, 6.0,you need to know that Microsoft has issued a cumulative patch for two new vulnerabilities that are rated maximum severity.Get the patch from Microsoft by clicking here:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-032.asp
Previous Tech Alerts