THE WELCH COMPANY
440 Davis Court #1602
San Francisco, CA 94111-2496
415 781 5700
rodwelch@pacbell.net
S U M M A R Y
DIARY: August 19, 2003 12:01 PM Tuesday;
Rod Welch
New email virus sobig.f slows work; took a day to recover.
1...Summary/Objective
2...Email Flooded by Bogus Correspondence Reflecting a Virus
..............
Click here to comment!
CONTACTS
0201 - Pacific Bell Network Services
020101 - Ms. Evelyn Bannon; Technical Advisor
020103 - DSL Help Desk
SUBJECTS
Email Virus Improper Inappropriate Materials Being Transferred to Our
Virus Sobig.F Email Improper Inappropriate Materials Being Transferre
Sobig.F Virus Email Improper Inappropriate Materials Being Transferre
0705 -
0705 - ..
0706 - Summary/Objective
0707 -
070701 - Follow up ref SDS 3 0000, ref SDS 2 0000.
070702 -
070703 - Seem to have been hit by another virus today; hopefully our computer
070704 - is not infected, but we feel the effects of being flooded by bogus
070705 - messages that carry a virus if the attachment in the email is openned.
070706 - ref SDS 0 755S Did not open the attachment, so we should be okay.
070707 - Ran McAfee and got a clean report. ref SDS 0 JH3K This is another
070708 - all day waste of time.
070709 -
070710 -
070711 -
070712 -
070714 - ..
0708 -
0709 -
0710 - Problem
0711 -
071101 - Email Flooded by Bogus Correspondence Reflecting a Virus
071102 -
071103 - Yesterday, began getting a lot of email that looked bogus, with
071104 - friendly, inocuous subjects from people who are unknown. These
071105 - messages have occurred from time to time over the past 4 or 5 years
071106 - with varying degrees of frequency, and are routinely deleted. The
071107 - frequency seemed higher yesterday, and then today the frequency shot
071108 - up to 20 to 30 an hour all day. The same descriptions are repeated
071109 - indicating these are not legitimate correspondence, and the increased
071110 - frequency indicates an automated virus operation that intends harm.
071112 - ..
071113 - This is different from "spam" that has a commercial objective to sell
071114 - something. For example, letters with "URGENT ASSISTANCE" and similar
071115 - subjects are seeking to sell people on the idea of getting a money
071116 - transfer.
071118 - ..
071119 - After several hours of getting these email and deleting them, I took a
071120 - chance and openned two letters. They both had the same message to
071121 - click on a link for more details. This is a red flag based on prior
071122 - warnings in the media that email with links allow a virus to attack
071123 - the computer.
071124 -
071125 - ...below, article published by Rueters reports that opening the
071126 - attachment triggers harm. ref SDS 0 755S
071128 - ..
071129 - Called the phone company to report a problem.
071131 - ..
071132 - Talked to Dan with SBC DSL support.
071134 - ..
071135 - Dan suggested logging onto...
071136 -
071137 - http://help.scbglobal.net
071138 -
071139 - ...and asking for help with email.
071141 - ..
071142 - Clarified that our email system is operating correctly, but that there
071143 - appears to be an abuse of the system that should be investigated by
071144 - Pac Bell.
071146 - ..
071147 - Dan suggested signing up for a spam guard system at...
071148 -
071149 - http://sbc.yahoo.com
071151 - ..
071152 - We reviewed the objective to report and prevent criminal activity
071153 - attempting to harm property and business transactions.
071155 - ..
071156 - Dan said to notify via email...
071158 - ..
071159 - abuse@sbcglobal.net
071161 - ..
071162 - After discussing the matter, Dan advised that sbcglobal.net is not the
071163 - correct number to call about our email account
071165 - ..
071166 - Dan said the Pac Bell has another number for our email address at...
071167 -
071168 - 866 722 3425
071169 -
071170 - ...because it is not a DSL email address.
071172 - ..
071173 - Dan gave a case number on this call.
071175 - ..
071176 - case ID. 33935156
071177 -
071178 - [On 030908 Tina in DSL support has a record of this case
071179 - number. ref SDS 4 4I9G
071181 - ..
071182 - Dan said that in addition to calling, we can send a letter to...
071183 -
071184 - abuse@pacbell.net
071185 -
071186 - ...to ask for an investigation to stop this problem.
071188 - ..
071189 - Following the call, sent the following letter....
071190 -
071191 - Subject: Flooded by bogus email, virus
071192 - Date: Tue, 19 Aug 2003 12:38:13 -0700
071193 - From: Rod Welch <rodwelch@pacbell.net>
071194 - To: abuse@pacbell.net
071196 - ..
071197 - Hi,
071199 - ..
071200 - The past year we have been getting flooded by bogus letters.
071201 - Many of these are obvious saying "URGENT ASSISTANCE" and the
071202 - like.
071204 - ..
071205 - However, the past several days, we have been getting about 20
071206 - email an hour all day that have a subject like... "Your details,
071207 - Re: Your application, Re: Approved, Your Details, Undeliverable
071208 - Mail, Re: That movie, Your details, etc, etc."
071210 - ..
071211 - As you can see some of these are repeated and they only minutes
071212 - apart.
071214 - ..
071215 - Something seems to be going on, somehow our address is on
071216 - someone's automated address machine.
071218 - ..
071219 - Can you call me at 925 680 8948 to advise of protective measures.
071221 - ..
071222 - Thanks.
071224 - ..
071225 - Rod
071226 -
071227 -
071229 - ..
0713 -
0714 -
0715 - 1421
0716 -
071601 - Called 866 722 3425
071603 - ..
071604 - Got a message to contact Microsoft to troubleshoot the recent virus
071605 - problem solved on 030812. ref SDS 1 YU6G There were several other
071606 - instructions to press various buttons, but then all went in a loop
071607 - back to the message saying to call Microsoft. There was not evident
071608 - way to report our problem to Pac Bell at this number provided by Dan,
071609 - per above. ref SDS 0 RK6S
071611 - ..
071612 - Logged onto a pacbell Internet address we have in the Contact system.
071614 - ..
071615 - On the web pages, found another number to call at Pac Bell
071617 - ..
071618 - Talked to "Sunshine."
071620 - ..
071621 - She said we should contact the DSL account people.
071623 - ..
071624 - Explained I just talked to Dan at DSL support, ref SDS 0 RK86, and Dan
071625 - said to call Pac Bell support. ref SDS 0 RK6S
071627 - ..
071628 - Sunshine did some investigation while I am on hold.
071629 -
071630 -
071632 - ..
0717 -
0718 -
0719 - 1451
0720 -
072001 - Sunshine came back online.
072002 -
072003 - She said that reasearch shows we got our email address before signing
072004 - up for DSL.
072006 - ..
072007 - She will connect us with someone who can upgrade our account and then
072008 - Pac Bell can install some filters to reduce the incidence of improprer
072009 - materials flooding our account.
072011 - ..
072012 - On hold again.
072013 -
072015 - ..
0721 -
0722 -
0723 - 1454
0724 -
072401 - Talked Ellie.
072402 -
072403 - She reviewed the scope of the problem submitted in the letter to...
072404 -
072405 - abuse@pacbell.net
072406 -
072407 - ...per above. ref SDS 0 RL43
072409 - ..
072410 - Ellie said that notifying the abuse people is the only remedy she
072411 - knows for the problem of false email attributing misleading notices to
072412 - SBC for attempting to lure customers into opening a virus.
072413 -
072414 -
072415 -
072417 - ..
0725 -
0726 -
0727 - 1512
0728 -
072801 - Talked to Dwayne the supervisor.
072802 -
072803 - Dwayne said that since we have submitted notice to abuse@pacbell.net,
072804 - per above, ref SDS 0 RL43, that we will be contacted. They are very
072805 - busy right now, but we should hear from SBC within a few days.
072807 - ..
072808 - Dwayne said that in the meantime use...
072809 -
072810 - case number: 33945014
072811 -
072812 -
072814 - ..
0729 -
0730 -
0731 - 1619
0732 -
073201 - After taking the above action, checked the news and found an article
073202 - that reports the symptoms we are experiencing fits the profile of a
073203 - new email virus...
073204 -
073205 - SAN FRANCISCO (Reuters) - A new mass e-mail worm that attempts to
073206 - download files from the Internet and potentially leave computers
073207 - vulnerable to further attack was spreading quickly around the
073208 - world on Tuesday, anti-virus experts said. ref OF 1 0001
073210 - ..
073211 - The new worm, dubbed Sobig.F, is at least the fourth new, major
073212 - Internet worm to hit computers worldwide in the past week,
073213 - prompting anti-virus vendor F-Secure to declare this the "worst
073214 - virus week ever." ref OF 1 Z85K
073216 - ..
073217 - It arrives in e-mail and includes a variety of subject lines,
073218 - including "Your details," "Thank you!," "Your application" and
073219 - "Wicked screensaver." It has caused some corporate e-mail systems
073220 - to grind to a halt, according to Sophos Inc. ref OF 1 A96L
073222 - ..
073223 - These are the symptoms we reported today, per above. ref SDS 0 TK4J
073225 - ..
073226 - Reuters' Article continues...
073227 -
073228 - When the .pif or .scr attachment is opened, Sobig.F infects the
073229 - computer and sends itself on to other victims using a random
073230 - e-mail address from the address book. ref OF 1 H97H
073232 - ..
073233 - This suggests that the attachment must be openned to cause harm, and
073234 - since we did not open the attachments, per above, ref SDS 0 PO7W, our
073235 - computer should be okay.
073236 -
073237 - If the infected computer is on a shared network, the worm tries
073238 - to copy itself to the other computers on that network.
073239 - ref OF 1 7E8G
073241 - ..
073242 - So, we need to run McAfee again.
073244 - ..
073245 - Did this and got clean report on c13, which is the only system
073246 - receiving email.
073247 -
073248 -
073249 -
073250 -
073251 -
073252 -
073253 -
073254 -
073255 -
073256 -
073257 -
073258 -
0733 -
Distribution. . . . See "CONTACTS"