I'd knock on some wood if I were you ;) ... SoBig.G is said to be expected any day now.

If it was not for the "Dear Occupant" mail I'd feel totally unloved. :>

.sobig celebration

Hm.
Today is the first day I did not receive a single .sobig attachment.

*throws party*

Srry...I don't keep access logs for the WWWD site.

Looking over google, the only place where your (Blackwave) email address and mine appear on the same web page is the Defcon 11 slogan contest.

Although Mr. Florida has stopped, I'm betting the web logs for the slogan contest will show his IP address... :-)

semantics on Symantec ;)

Hmm.. I am certain we said the same thing :) scanning would result in procuring the results (during an infected state), in this case being the email addy...

Sorry Blackwave -- not exactly true. Sobig-F also scans files on the computer looking for anything that might be an email address. This includes web cache. Thus, if someone visited defcon.org and then got infected, all those email addresses at defcon.org would be sent the virus. (I'm 90% certain that's how Mr. Florida got both you and me.) You don't need to be in their address book or inbox.

regarding SoBig.F as long as someone doesn't have your email addy during their infected state you should be in fine shape, especially if you don't windows yourself. I have yet to get an infection myself, just more these annoyances that are beyond my control with a few of my public email addresses... alas.

btw for the ppl that pm'd me about the countdown...

here are a couple of links...

http://www.wininformant.com/Articles...rticleID=39943
http://searchsecurity.techtarget.com...920957,00.html

This is my first one. I guess I was so used to the security of Linux that I became lax while I was temporarily stuck in the Winders world. Oh well, I'm back in my comfortable environment now.

ya know.. something just occered to me.. with all my years of using Windows (for wich I have suffered more than my fair share of shit) and AOL (don't even get me started with all of THAT) I have yet to contract a virus..... way to go Uber Hackers.. no leave me alone ;)

Option #3 None of the above.

It appears to be a Lovelorn variant. Now why my scanners still aren't picking it up, I have no idea.

Ah!

You should:
1. nmap against your system. Look for all ports below 10000.
2. Look for "new" services. In particular, open proxies, web servers, IRC servers, and remote control software (current fad: DameWare).


Option #1: The port scan will find a set of open ports. Either 1180-1185, 2280-2285, or 3380-3385. That's SoBig-A, B-D, and D-E (D changed ports near the end).

Option #2: You've probably had your system compromised. There are a couple of spam groups that are compromising systems, installing rootkits, and then sending spam. (I cleaned three such systems in the last two weeks, and I've identified a few dozen more.) The rough topics you've listed match one of these groups.

If this is the case, drop me a PM with your email and we'll take this conversation off-line. (If this is the case, then I really want a copy of some of the emails, as well as the IRC connections logs, DameWare logs, etc... Yes, they leave logging enabled!)

Having said that... If this is the case, you should:
1. Copy off all of your personal data.
2. Reinstall from scratch.

stop it. you know what i mean!

of course it can send to all the recipients of your palm's address book. Surely you aren't the only one with the emails of your palm's address book recipients...

i am well aware.... but you should all feel happyh knowing that the thing has no way of sending to all the recipiants of my palms address book.