I’ve been watching a steady stream of virus emails and bounce messages crowd into my Inbox all day today thanks to the W32/Sobig.F worm. Sobig is polymorphic (in the simplest sense) and spreads by mass-emailing itself to people in your address book or Internet Explorer cache. In addition, it forges the “From” address of the emails it sends, making it look like the email is coming from a randomly-chosen address. Unfortunately, since those “From” addresses are pulled from the browser cache, my email address (which has been all over the web for years) seems to be a pretty popular choice. The result is that whenever any mail server with a virus scanner catches a message sent by the Sobig worm using my address in the “From” field, the bounce message gets sent to me.
I’ve received quite a few messages today from the lclark.edu domain, but the latest one takes the cake. It’s an automated response from the Graduate School of Education at Lewis & Clark College thanking me for my request for enrollment information. W32/Sobig.F wants me to go to college and be a teacher.
Comments
That's awesome.
What would you teach, you think? Hypothetically?
Probably my fault...
My personal lclark.edu address hasn't ever gotten any spam, and still hasn't. I don't think it's been infected. So it seems wierd that it got your address from my address book. Maybe it was an IE cache or something else. Either way, it's probably my fault in some way.
Spread by human stupidity...
It's pretty sad that such a worm can spread at all, since a correctly configured mail client would actually require the user to open an obscure executable attachment. But stupid people do exist in abundance, as evident by the epidemic it caused at my company's headquarters in San Francisco. This is yet another reason why everyone should install the Anti-Spam SMTP Proxy, which would actually have blocked the PIF attachment - if configured correctly.
Re: Probably my fault...
I doubt it got my address from your address book. It probably didn't get it from anyone's address book, actually. It may have just dug it out of someone's browser cache.
Re: That's awesome.
If I had to teach something, I think history would be cool. Actually, even better would be a fruity subject like "Film Appreciation" or something where all I'd do is show movies and talk about them afterwards. God, that would be heaven.
Re: That's awesome.
You'd be good at that. You'd need a pipe and a tweedy jacket with suede patches on the elbows, though.
Argh.
I'm tired of every few weeks having network service just slow to a crawl. When will people learn that Windows is not the answer, it's the problem?
Re: Argh.
Uh, I'm not noticing any adverse network effects from this worm. I was getting lots of virus emails, but a simple Procmail script solved that problem.
Re: Argh.
Actually, Windows isn't the problem. Windows admins are the problem. Properly configured email servers would have never allowed a .PIF file in from the internet. You shouldn't allow any executable file in from the interenet.