I've been checking Windows Update everyday since these new problems have been discovered. Just now I found another Windows Update I needed to solve another problem with Internet Explorer. Everyone might want to check and see if they need this new update, too.

I did a McAfee virus update earlier today. Then went to their library and noticed that they did not update for this worm/virus until yesterday. I don't use Norton, but they evidently, (from emails I have gotton from them or those that sell Norton) recently updated.

If anyone has not updated their virus protection in the last day, they should do so soon and then scan. The McAfee library also has instructions on how to manually delete the virus.

I have all bad email forwarded to a trash email address and just empty it from time to time.

Thanks for the advice, but in this situation it doesn't really matter what email account to empty, as my main account itself looks like trash! I don't use Outlook Express anymore (that would be insane to download thousand of 100KB emails on my machine!), I preview my mail on the web, so it doesn't really matter what account to preview.

I have a feeling like every single person in the world on the infected machine just rushes to my poor website, like bees on honey! :) :) Just kidding, I know you all are experiencing the same, but that's how it feels these days.

And you know, I am not only mad at the virus creators, but also at all those stupid folks who in spite of everything keep opening attachments! Well, curiosity killed the cat.

WebStart - yes NAV and NIS has had quite a few updates the past couple of days.

Is it me or does it seem to be slowing slightly ?

Visit_ Thailand >Is it me or does it seem to be slowing slightly?<

It has not slowed for me. I am not infected on my own server, but I gets lots of this worm's email because of all the websites I own, which have the multiple address of sales@xxx.com ; info@xxx.com; customerservice@xxx.com used to send this crap to me, and also those addresses are then stolen and used to resend the virus. Obviously, this affects me and the creditibility of my business, but I don't know what to do about it.

Someday, hopefully, the archetecture (sp?)of the web may change to prevent this, but so long as it as open and free as it is now, I doubt much can be done. And if it changes too much we all may face a much more challenging future re who does business on the Internet and how it is done.

Special thanks to Dazz for a previous software recommendations which saved my butt! (Getting 100 of the SoBig an hour!)

This got me thinking...

Since this has gotten so big, I've started another post so everyone can compare notes on what they're doing to combat this SoBig thing.

[webmasterworld.com...]

If you're being overwhelmed, hopefully you'll find some help.

If you've got it 'under control', please share and let everyone else know what you're doing.

One of my favorite hosting services has reacted very well to the situation, I just got an email from them which in summary says that:

Current policy prohibits filtering emails server side.

Due to the widespread nature of the SoBig.F they have decided to make a single exception to this policy.

A filtering system has been designed to specifically combat the SoBig.F situation.

They have activated a filter on all domains that will eliminate all emails containing attachments with the extensions of PIF and SCR.

Anyones else seen a major ISP take action?

Not me.

Set Exim to block trasmission or reception of any email containing an executable attachement.

I did this 12 months ago.....the users wanted my blood at that time....today they are a happy virus free bunch :)

No Pain...No Gain!

Someday, hopefully, the archetecture (sp?)of the web may change to prevent this, but so long as it as open and free as it is now, I doubt much can be done. And if it changes too much we all may face a much more challenging future re who does business on the Internet and how it is done.

I haven't been hit badly yet, but this is a wake-up call to change my email addresses in web pages to forms instead of using mailto. This is also the first time the google cache could present a problem for a lot of webmasters, because even if you change your pages people will still be able to get the old versions.

Sobig.F has now made the big news headlines I am sure the creator is now smiling at his or her success of creating an absolute useless and senseless script.

I was hit on the very first day of it being found, on this day I was getting over 30 attacks in 2 hours!

It then rose to over 50 an hour, this was because of my high ranking web sites.

Today things have calmed down for the moment seem to get 3 an hour which is what I normally get from other viruses.

Apparently this virus is now the most fastest spreading virus on record (cnn).

I now find myself checking the the norton virus centre everyday, updating everyday and of course scanning everyday. Getting into the practice of spending 2 minutes on start up will prevent such headaches.

Every webmaster and Internet user has a level of responsibility to keep to, for in todays Internet world we are in a community, one very big community, If only everyone followed these simple steps we would have less of problem then their already is.

Spend 2 mins every day updating its not hard!

I'm still getting a few through, but it seems to be slowing down a bit not.

Symantec upgrades Sobig virus to 4 from 3 as of 22nd August

Should have been that a few days ago!

This isn't ment to be a plug for NAV but....

I have found over the last 2 years, me being a NAV user(hmm, I don't like calling myself user, that usually means IDIOTS...oh did I say that...)and my buddy is a McA user**.

I have found that he has gotten 3 viruses that he then had to go to Norton's website to get the removal tool and every one of the email ones he got(cause his mother clicks on every attachment) sent to my address and Norton caught it the same day. We both do the updates everyday so I do know Norton updates their definitions a bit faster. He actually updated the night before, and I updated the day before him. There is a forsure 2 day lag in McA's updates....for that one anyway.

I had the same problem with my folks Mcfee anti virus program too slow and updates a day or too late.

Norton does make make most of the fixes for the viruses and have a faster turn around for alerts and fixes.

Again I'm not plugging NAV or anything, but I do notice that even M$ points people to www.symantec.com to fix the W32.Blaster virus... And I do find Norton does do a very extensive write up about the virus and every detail, which I always find myself reading the entire page... hehe

we got nailed too. our previous mail traffic had been just over 29,000 messages processed per week.

on the second day after we started noticing sizeable traffic from the worm, our servers processed about 32,000 emails in a single 24 hour period.

after adjusting the incoming and outgoing processing queue rates a bit, and configuring to disregard messages containing many of the particular subject lines, we were able to get a handle on server load.

i caught one of our machines running at 1200% cpu load at the beginning of the 'attack'! ouch!

good luck, and take care

My host is useless in helping me to stop all these emails coming in.
Can anyone help?
I download my emails with outlook express.
I can manage my emails before i download them by accessing them on webmail.mydomain.com

On the web, i get to use filters, but all they seem to do automatically is MARK mail for deletion, NOT delete it for good. or, it can put emails into a TRASH folder, which after about an hour gets full and then i cant recieve any emails to that account until ive logged into webmail and deleted the spam or emptied the trash folder of it. So basically this system is useless for dealing with this sort of virus, and i'm losing legit emails from customers.

I tried some antispam software but because this only deals with the emails as they are downloaded, it doesnt solve the problem of my webmail getting full and grinding to a halt

Would my host be able to stop these emails before they even reach my webmail if they set a filter or something?
There must be a way of zapping them as they come in

It seems to be smart enough to pull email addresses from online form code.

I have about 6 lead forms on different web sites, all set up with their own e-mail address. ie leads28@xxxxx.com This is the only place the e-mail addresses are used so no one would have this address in an address book. (except for maybe a spammer)

1 e-mail address is being bombarded by the virus ie. leads22@xxxxx.com. After I changed the form e-mail yesterday all has been quiet.

Is anyone else seeing this type of hit, it's a FrontPage form so I was wondering if the virus was possibly seeking these out.

This might be useful for those concerned about what Sobig.F has been programmed to do tonight Friday 22nd of August:

F-Secure is monitoring the Sobig.F developments through the night on Friday the 22nd. Updates will be posted to Sobig.F’s virus description at [f-secure.com ]

F-secure seems to be really ahead here and - according to media reports - they have cracked the encryption in Sobig's code identifying 20 computers that will be used for a further attack tonight of unknown nature.

Oh man!

This is looking more and more like terrorism...

I haven't seen it so bad since the NIMDA virus.

Here's the link to the F-Secure press release [f-secure.com].

Second phase of attack supposed to occur 19:00 UTC. Infected machines to attempt to connect to 20 other 'pre-hacked' machines to be directed to download a program and execute it. Big question is 'What is IT?"

Guess we'll have the answer a couple of hours from now.

(Mikko Hypponen of F-Secure is quoted on MSNBC “We’ve taken more than half [of the 20 pre-hacked machines] offline,”)

I have been getting a lot of single IP visits to my homepage "without a refering URL"

Anyone knows if the virus scans for emails this way?

Looks like they beat the clock and were able to disconnect the 20 machines. Mikko Hyppönen, again quoted on MSNBC: "It seems that all of the attack servers needed are down."

I had the emails, but not the virus attacks.

One of the main advantages of using an AppleMac.

Same here.

Mac

I see the attacks but they're just an annoyance.

Any idea who were those 20 pre-defined master hosts?

Any idea who were those 20 pre-defined master hosts?

According to the MSNBC article [msnbc.com] it was two sets of 20 machines, just "private computer users with broadband access."

Further down it cautions that "Sobig.F will continue to attempt to make contact every Friday and Sunday until its programmed expiration on Sept. 20." (I thought it was Sept. 10th.) And that "the virus writers could substitute a new list of 20 IP addresses" to further muddy the waters.

Looks like everybody with an Internet connection is under the gun for the next couple of weeks.

regarding where the worm gets the emails to use for "spoofing", the major av providers list about a dozen different file formats it scans and uses to havest email addresses.

my guess is that it doesn't sniff out address over the internet, and it doesn't really have anything to do with Front Page (previous question).

if someone visits your web site, they get your page stuck in their cache, the worm picks it out of their cache.

just my idea,

take care...

List of 20 master hosts, just published:

[sophos.com...]