CONTACTS 
0201 - Pacific Bell Network Services
020101 - Ms. Evelyn Bannon; Technical Advisor
020103 - DSL Help Desk

SUBJECTS
Email Virus Improper Inappropriate Materials Being Transferred to Our
Virus Sobig.F Email Improper Inappropriate Materials Being Transferre
Sobig.F Virus Email Improper Inappropriate Materials Being Transferre

0705 -
0705 -    ..
0706 - Summary/Objective
0707 -
070701 - Follow up ref SDS 3 0000, ref SDS 2 0000.
070702 -
070703 - Seem to have been hit by another virus today; hopefully our computer
070704 - is not infected, but we feel the effects of being flooded by bogus
070705 - messages that carry a virus if the attachment in the email is openned.
070706 - ref SDS 0 755S  Did not open the attachment, so we should be okay.
070707 - Ran McAfee and got a clean report. ref SDS 0 JH3K  This is another
070708 - all day waste of time.
070709 -
070710 -
070711 -
070712 -
070714 -  ..
0708 -
0709 -
0710 - Problem
0711 -
071101 - Email Flooded by Bogus Correspondence Reflecting a Virus
071102 -
071103 - Yesterday, began getting a lot of email that looked bogus, with
071104 - friendly, inocuous subjects from people who are unknown.  These
071105 - messages have occurred from time to time over the past 4 or 5 years
071106 - with varying degrees of frequency, and are routinely deleted.  The
071107 - frequency seemed higher yesterday, and then today the frequency shot
071108 - up to 20 to 30 an hour all day.  The same descriptions are repeated
071109 - indicating these are not legitimate correspondence, and the increased
071110 - frequency indicates an automated virus operation that intends harm.
071112 -  ..
071113 - This is different from "spam" that has a commercial objective to sell
071114 - something.  For example, letters with "URGENT ASSISTANCE" and similar
071115 - subjects are seeking to sell people on the idea of getting a money
071116 - transfer.
071118 -  ..
071119 - After several hours of getting these email and deleting them, I took a
071120 - chance and openned two letters.  They both had the same message to
071121 - click on a link for more details.  This is a red flag based on prior
071122 - warnings in the media that email with links allow a virus to attack
071123 - the computer.
071124 -
071125 -      ...below, article published by Rueters reports that opening the
071126 -      attachment triggers harm. ref SDS 0 755S
071128 -  ..
071129 - Called the phone company to report a problem.
071131 -  ..
071132 - Talked to Dan with SBC DSL support.
071134 -  ..
071135 - Dan suggested logging onto...
071136 -
071137 -         http://help.scbglobal.net
071138 -
071139 - ...and asking for help with email.
071141 -  ..
071142 - Clarified that our email system is operating correctly, but that there
071143 - appears to be an abuse of the system that should be investigated by
071144 - Pac Bell.
071146 -  ..
071147 - Dan suggested signing up for a spam guard system at...
071148 -
071149 -         http://sbc.yahoo.com
071151 -  ..
071152 - We reviewed the objective to report and prevent criminal activity
071153 - attempting to harm property and business transactions.
071155 -  ..
071156 - Dan said to notify via email...
071158 -     ..
071159 -    abuse@sbcglobal.net
071161 -  ..
071162 - After discussing the matter, Dan advised that sbcglobal.net is not the
071163 - correct number to call about our email account
071165 -  ..
071166 - Dan said the Pac Bell has another number for our email address at...
071167 -
071168 -             866 722 3425
071169 -
071170 - ...because it is not a DSL email address.
071172 -  ..
071173 - Dan gave a case number on this call.
071175 -       ..
071176 -      case ID.  33935156
071177 -
071178 -         [On 030908 Tina in DSL support has a record of this case
071179 -         number. ref SDS 4 4I9G
071181 -  ..
071182 - Dan said that in addition to calling, we can send a letter to...
071183 -
071184 -    abuse@pacbell.net
071185 -
071186 - ...to ask for an investigation to stop this problem.
071188 -  ..
071189 - Following the call, sent the following letter....
071190 -
071191 -      Subject: Flooded by bogus email, virus
071192 -      Date: Tue, 19 Aug 2003 12:38:13 -0700
071193 -      From: Rod Welch <rodwelch@pacbell.net>
071194 -      To: abuse@pacbell.net
071196 -       ..
071197 -      Hi,
071199 -       ..
071200 -      The past year we have been getting flooded by bogus letters.
071201 -      Many of these are obvious saying "URGENT ASSISTANCE" and the
071202 -      like.
071204 -       ..
071205 -      However, the past several days, we have been getting about 20
071206 -      email an hour all day that have a subject like... "Your details,
071207 -      Re: Your application, Re: Approved, Your Details, Undeliverable
071208 -      Mail, Re: That movie, Your details, etc, etc."
071210 -       ..
071211 -      As you can see some of these are repeated and they only minutes
071212 -      apart.
071214 -       ..
071215 -      Something seems to be going on, somehow our address is on
071216 -      someone's automated address machine.
071218 -       ..
071219 -      Can you call me at 925 680 8948 to advise of protective measures.
071221 -       ..
071222 -      Thanks.
071224 -       ..
071225 -      Rod
071226 -
071227 -
071229 -  ..
0713 -
0714 -
0715 - 1421
0716 -
071601 - Called                 866 722 3425
071603 -  ..
071604 - Got a message to contact Microsoft to troubleshoot the recent virus
071605 - problem solved on 030812. ref SDS 1 YU6G  There were several other
071606 - instructions to press various buttons, but then all went in a loop
071607 - back to the message saying to call Microsoft.  There was not evident
071608 - way to report our problem to Pac Bell at this number provided by Dan,
071609 - per above. ref SDS 0 RK6S
071611 -  ..
071612 - Logged onto a pacbell Internet address we have in the Contact system.
071614 -  ..
071615 - On the web pages, found another number to call at Pac Bell
071617 -  ..
071618 - Talked to "Sunshine."
071620 -  ..
071621 - She said we should contact the DSL account people.
071623 -  ..
071624 - Explained I just talked to Dan at DSL support, ref SDS 0 RK86, and Dan
071625 - said to call Pac Bell support. ref SDS 0 RK6S
071627 -  ..
071628 - Sunshine did some investigation while I am on hold.
071629 -
071630 -
071632 -  ..
0717 -
0718 -
0719 - 1451
0720 -
072001 - Sunshine came back online.
072002 -
072003 - She said that reasearch shows we got our email address before signing
072004 - up for DSL.
072006 -  ..
072007 - She will connect us with someone who can upgrade our account and then
072008 - Pac Bell can install some filters to reduce the incidence of improprer
072009 - materials flooding our account.
072011 -  ..
072012 - On hold again.
072013 -
072015 -  ..
0721 -
0722 -
0723 - 1454
0724 -
072401 - Talked Ellie.
072402 -
072403 - She reviewed the scope of the problem submitted in the letter to...
072404 -
072405 -             abuse@pacbell.net
072406 -
072407 - ...per above. ref SDS 0 RL43
072409 -  ..
072410 - Ellie said that notifying the abuse people is the only remedy she
072411 - knows for the problem of false email attributing misleading notices to
072412 - SBC for attempting to lure customers into opening a virus.
072413 -
072414 -
072415 -
072417 -  ..
0725 -
0726 -
0727 - 1512
0728 -
072801 - Talked to Dwayne the supervisor.
072802 -
072803 - Dwayne said that since we have submitted notice to abuse@pacbell.net,
072804 - per above, ref SDS 0 RL43, that we will be contacted.  They are very
072805 - busy right now, but we should hear from SBC within a few days.
072807 -  ..
072808 - Dwayne said that in the meantime use...
072809 -
072810 -       case number:  33945014
072811 -
072812 -
072814 -  ..
0729 -
0730 -
0731 - 1619
0732 -
073201 - After taking the above action, checked the news and found an article
073202 - that reports the symptoms we are experiencing fits the profile of a
073203 - new email virus...
073204 -
073205 -      SAN FRANCISCO (Reuters) - A new mass e-mail worm that attempts to
073206 -      download files from the Internet and potentially leave computers
073207 -      vulnerable to further attack was spreading quickly around the
073208 -      world on Tuesday, anti-virus experts said. ref OF 1 0001
073210 -       ..
073211 -      The new worm, dubbed Sobig.F, is at least the fourth new, major
073212 -      Internet worm to hit computers worldwide in the past week,
073213 -      prompting anti-virus vendor F-Secure to declare this the "worst
073214 -      virus week ever." ref OF 1 Z85K
073216 -       ..
073217 -      It arrives in e-mail and includes a variety of subject lines,
073218 -      including "Your details," "Thank you!," "Your application" and
073219 -      "Wicked screensaver." It has caused some corporate e-mail systems
073220 -      to grind to a halt, according to Sophos Inc. ref OF 1 A96L
073222 -  ..
073223 - These are the symptoms we reported today, per above. ref SDS 0 TK4J
073225 -  ..
073226 - Reuters' Article continues...
073227 -
073228 -      When the .pif or .scr attachment is opened, Sobig.F infects the
073229 -      computer and sends itself on to other victims using a random
073230 -      e-mail address from the address book. ref OF 1 H97H
073232 -  ..
073233 - This suggests that the attachment must be openned to cause harm, and
073234 - since we did not open the attachments, per above, ref SDS 0 PO7W, our
073235 - computer should be okay.
073236 -
073237 -      If the infected computer is on a shared network, the worm tries
073238 -      to copy itself to the other computers on that network.
073239 -      ref OF 1 7E8G
073241 -  ..
073242 - So, we need to run McAfee again.
073244 -  ..
073245 - Did this and got clean report on c13, which is the only system
073246 - receiving email.
073247 -
073248 -
073249 -
073250 -
073251 -
073252 -
073253 -
073254 -
073255 -
073256 -
073257 -
073258 -
0733 -