Stop it, stop it now. Please!

Mt. Molelog (surprisingly work-safe at the moment: you’re slackin’!):

SoBig is back and spreading like wildfire, and it doesn’t even take advantage of any technical security holes, just people. People who will double-click on whatever attachments they get in mail.

Some infected AOL user visited my website at 4:10pm this afternoon. Since then, I’ve received 60 copies of this worm – about one every four minutes.

D’oh. I did remember that Sobig was more cunning than just searching your addressbook for email addresses, but I’d completely forgotten that it looks in HTML pages, including his page, and my page, in your cache. I haven’t really seen that many copies just yet, but then the free server for the address that I mostly use in public has been down since mid-morning.

So, one more time: in Outlook Express, Tools; Options; Security; check the box for “Do not allow attachments to be saved or opened that could potentially be a virus.” When someone mails you an attached spreadsheet that you really need to see, you’ll have to think for a second, uncheck it, save the bloody thing, and recheck it. A tiny price to pay for having it stop you from blindly opening ThisIsAVirus.pif when you aren’t thinking straight.


Comment by alanjstr #
2003-08-19 22:27:31

That’s what encoded links are for. Not only does my blog use a unique sneakemail address, it’s so obscured it’s not funny.

Comment by Lummox JR #
2003-08-20 08:42:39

I would remind Mt. Molelog that Sobig and related worms love to forge their headers. The sender is almost certainly not the one reported.

Moreover, it’s difficult to impossible for a worm to send out e-mails from an infected AOL account, since AOL does not support the kinds of interfaces that a worm would normally use. To send via AOL it would either have to take over the user’s window and compose new mail in a window itself, or it would have to do something similar via the Web interface at

Comment by Phil Ringnalda #
2003-08-20 09:23:30

Take a look at the email address in his page (bottom of the right column) and assuming you know your IP address, you’ll see why he has pretty good reason to blame a particular user at a particular time.

So I’d guess that AOL does let it work, since a page generated for an AOL proxy apparently found its way to an infected machine.

Comment by Roger Benningfield #
2003-08-20 08:55:54

I got quite a bit of SoBig junk yesterday, but only a couple so far this morning.

Guess I might as well get used to it, though. I still get ”killed a Klez attachment” warnings from Norton once every day or two, so I expect SoBig to become a permanent part of my life.

Comment by Phil Ulrich #
2003-08-20 09:24:57

Shite. Phil, you might know if this is related: I got three messages today that were all ”Message undeliverable” messages from AOL. All of them appeared to be sent from me, all of them claimed to have been sent by Outlook Express, and all of them seem to have been relayed from Ohio State University.

Problem 1: I haven’t used Outlook Express. Ever.
Problem 2: I don’t attend OSU.

Think this might be related?

Comment by Phil Ringnalda #
2003-08-20 15:30:55

Sounds exactly like it: both your email address and the addresses of the AOL folks were on someone infected’s computer, so Sobig tried to send itself to the AOLers with your address as a return.

Name (required)
E-mail (required - never shown publicly)
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.