Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sobig virus removal 1

Status
Not open for further replies.
aaronjonmartin

aaronjonmartin

Technical User
Jul 9, 2002
475
GB
Everybody on my exchange server got infected with the Sobig virus yesterday, I updated my symantec antivirus and scanned and removed everything. However I have come in this morning and everybody has recieved the emails again, but there are no attachments. The subject lines vary but are mostly re: your application and the message body says see attached file but there are no attachments and any of them. I have recieved about 51 mails this morning all like this, does this mean we are still infected? Im not sure what to do, any thoughts?
 
Sort by date Sort by votes

or


Good luck, hope this helps. My regular business e-mail is down from register.com and these guys are GOOD!

Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@nellsgiftbox.com

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

"Once the game is over, the king and the pawn return to the same box."
 
Upvote 0 Downvote
Do you think because the worm has its own SMTP engine once i have been infected it will remember all the email addresses it infected and even though I have removed the virus it will still keep sending it me because it "knows" the addressess. This could explain the emails, and the reason there is no attachments is that the virus was removed and my av is up to date and stopping any dangers? Just a guess, any thoughts?
 
Upvote 0 Downvote
I thought the same thing, as one of my users got it yesterday. Same thing, after removal, we were still getting it about 15 times an hour. I started checking the headers on the incoming E-mail, and it was not coming from internal. So we were clean, just getting a ton of these as everyone else is... I don't believe that if the winppr32 is not running that it keeps infecting. It is probably coming from the Internet, as this was reported the fastest spreading virus ever. Check the headers of your E-mail by selecting the mail and going to options, in case you didn't know.
I actually found almost all of them coming from 3 different mail servers. I blocked their IP with an ACL, and now the amount we are receiving has dropped to about 4 every 2 hours...
Just my experiences dealing with this issue......

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
Mine may not be the same as what you need to block. When you receive one of these messages, highlight it, right-click, choose options and look at the Internet headers.
You will see Microsoft Mail Headers blah, blah. After that you will see Received from mailserver.domain.com([IPADDRESS]). That is the one to block.....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
Here's a star Matt. I started getting tons of e-mail Monday, before sobig was even reported by Trend. I called a friend and asked if he had heard anything. "Nope, nothing goin on here." Next day it was on the news. Think it's starting to die out finally. No attachments today. Finally. Good luck all, we're gonna need it in the "Week of the Worms" as it's being called.

Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

"Once the game is over, the king and the pawn return to the same box."
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
284
Oorde
Oorde
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
121
andyv2011
andyv2011
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
179
goombawaho
goombawaho
kharrison70
  • Locked
  • Question
Meskisift Visaal Studie Virus? 6
Replies
6
Views
179
goombawaho
goombawaho
CCX008
  • Locked
  • Question
Barowwsoe2save , how can I remove this stubborn virus !! 3
Replies
10
Views
249
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top