Visit Our Home Page
 Explored,Designed,Delivered.sm
Welcome, Guest. Please Login or Register (Password Reminder)


Creativyst Forums 
Support & Discussion 
Register Help Search Login  
   
   Creativyst Forums-TOP
   General Board
   W32.SoBig.F Backwash
(Moderator: admin)
 Author
Topic: W32.SoBig.F Backwash       [Link=60]
Reply Please log in first.
JRepici
Administrator


Posts: 328





Gender:
      JohnRHere2
    W32.SoBig.F Backwash   (Date posted: 08/25/03 at 10:39:33) Quote Modify Delete

This Windows based virus has found a way to affect those of us who do the work and keep our systems virus free. And just like a bio-virus, it uses our own virus defense mechanisms against us.

The virus fills the "from:" address in emails it sends out with names it finds in the infected machines.

Those with well-protected machines see the virus in the email and return it to the address in the "from:" field. But of course, that is just an address the virus found on the infected machine.

Often, it turns out to be your address. For example, because my email address is published on the web I'm getting a lot of this backwash.

  • The infected machines will have my contact page in their web-caches.
  • The virus will find it there, and place it in the "from:" field of its outgoing messages.
  • Protected email systems that receive these messages will see the virus and send a warning to the address in that "from:" field. It does this to inform the sender that they have a virus.
  • But since the virus spoofed the "from:" field, it is the wrong address.

I was getting 50-100/day of this W32.SoBig.f "backwash" at the peak, I'm down to about 20-30/day right now, though it might get worse now that it's Monday. Just a guess, since many infected office computers are being turned back on after the weekend off.

Interestingly, just like bio-viruses use the body's own defense mechanisms against it, so has this virus. In terms of lost time, most of the damage is caused by well-defended machines bouncing back warnings to the "from:" address. They do this for a good reason; to warn the sender that they have sent a virus, but in this case it is not the real sender.

What's needed, is a flag in the email filter's virus information file to say "The 'from:' field is not real in this virus, so don't bother to warn the sender".

-John

   E-Mail   Ip: Logged
Reply Please log in first.
Pages: 1
Jump to:

YaBB Board c 2000
YaBB Programming Team
 



















© Copyright 2002 - 2008 Creativyst, Inc.