Back to Techville Index
This Virus was so "So Big" of a sneak
"I fear you're underestimating the sneakiness sir" - John Turturro playing the world's sneakiest butler in the movie "Mr. Deeds."
I can just imagine the guy (virus programmers are rarely women) who created the SoBig.F virus saying that to the rest of the world.
I normally wouldn't dedicate an entire article to a particular virus, but SoBig.F was different. Most viruses only cause problems on the computers that are infected. However, this one affected the uninfected in a very big way (try saying that three times fast!).
If you, like myself, received mysterious e-mail messages last month that made it seem like your PC was infected, yet your antivirus program reported that it was NOT infected, read on. I'll explain what happened.
So was my PC infected or not?
Your first clue that something was amiss was probably like mine. When I checked e-mail that morning, I was surprised to see an excessive number of spam-looking messages (actually, I'd argue that any spam is excessive, but you know what I mean). The strange thing is that many of them were coming from e-mail addresses that I recognized, which meant that the senders were probably infected with a virus (vs. coming from nefarious spammers).
But what was more alarming was the number of "auto-response" messages I received, claiming that an e-mail message I had sent couldn't be delivered (usually because the recipient's address was no longer valid). However, I had NOT sent any messages to those people.
But just to be safe, I checked my "Sent" e-mail folder in Outlook to make sure that I really hadn't sent the messages (I hadn't). Then I made sure my antivirus software was up to date.
Stranger still was when I started receiving a different kind of auto-response message that claimed I had sent a virus to somebody.
Again I checked my Sent e-mail folder and made sure that my antivirus program was up to date. I still seemed to be innocent, despite what the auto-response messages were saying.
Somebody had spoofed me (forged my e-mail address)
After I read the reports on the Internet about what this virus was doing, things made sense. My e-mail address had been spoofed. This was sneaky thing #1.
Spoofing is the term for forging the "From" field in an e-mail message. Somebody else was sending out hundreds of e-mail messages that had my e-mail address in the From field.
So, even though my PC had not been infected with the virus, hundreds of messages were flying around the Internet that showed me as the sender of the virus.
Here's what was happening: after infecting a victim's computer (not mine), it looked through their hard drive until it came across an e-mail address (in this case mine) to use in the "From" field of the virus messages it was preparing to send. Then it started sending the messages to other e-mail addresses it found on the hard drive.
Taking out the trash
Even though I now knew that my computer was indeed "healthy," I wasn't done dealing with the virus. I still had to remove all of the virus-related e-mail from my Inbox so that I could find my legitimate messages (and to keep from "overfilling" my Inbox).
Here's a partial list of messages I received because of SoBig.F:
- Messages containing the virus attachment itself (sent from those with infected PCs).
- Auto-responses that said the e-mail addresses I had sent messages to didn't exist (messages that weren't really from me but were spoofed with my address)
- Other auto-responses that said the messages I had sent contained a virus (again, these messages were spoofed with my address)
- And, the most disconcerting of all, personal messages from people I'd never heard of asking why I was sending virus-infected messages to them (I wasn't of course)
By the end of the day I had rules set up in Outlook to automatically remove any SoBig.F-related messages, and by the end of the second day, my e-mail service was apparently updated so that it would recognize SoBig.F messages and know not to deliver them to my Inbox in the first place. By the third day my life had gotten back to normal.
Others, however, were not so lucky. Folks who didn't check their e-mail every day didn't discover till later that their e-mail service had been "overfilled," meaning that no further messages could be delivered to them.
What about those who WERE infected?
People who did have infected computers didn't see any signs that they were sending out messages containing viruses either. You'd think that they would've looked in their e-mail program's "Sent" folder and seen suspicious-looking messages, tipping them off to the fact that their PC had a virus. But, when they looked at their Sent folder, they did NOT see anything that looked suspicious. This was sneaky thing #2.
Its own private e-mail service
You see, the virus didn't use the victim's e-mail system. It installed its own e-mail service (called an SMTP server), and then used that to send the virus messages, completely bypassing the victim's e-mail system. I can just hear John Turturro saying "sneaky, sneaky sir."
Next time
What should you do to keep the next nasty, sneaky virus from affecting you (too much anyway)? Here's the laundry list:
- Practice "safe computing" and keep your antivirus program up to date (for more information, see the June and July TechVille articles).
- Do NOT open any file attachments directly from your e-mail program if you're not 100% sure it's safe to do so. Instead, save them to your hard drive first, then scan them with the antivirus program (or use an antivirus program that directly scans e-mail attachments).
- Use a firewall program to monitor both incoming and outgoing transmissions over your Internet connection. (A well-known free one is available at www.ZoneLabs.com).
- Use an e-mail service that's quick to update its antivirus scanning, which limits the number of virus messages you'll see in the first place.
I hope this gives you a better understanding of what happened last month, and will help things makes sense when the next virus shows up. And you know it will.