Sobig Worm is a Mac OS X virus

Discussion in 'General Mac Discussion' started by 13erla, Aug 22, 2003.

  1. 13erla macrumors newbie

    Mar 7, 2003
    Midwest, USA
    It would seem that the winblows only based Sobig worm

    with the whole. ".pif re:details, etc"
    does indeed affect Macs.

    Someone I know, has microsoft entourage X and i just saw today that he had 9 emails in his outbox that all contained the mysterious Windoze only Sobig virus.

    However none of the emails were going to anyone he had ever emailed.

    Has anyone else seen this occur?

    that definitely puts the NIX on the "only windows is affected"
  2. morlium macrumors regular

    Dec 18, 2002
    i've also received a ton of SoBiG e-mails, along with a few of the "undeliverable' message from my account, and i've been trying to figure out exactly what's going on.

    I deleted my .mac account from my windows machine at work to see if that's the culprit.

    i really don't get it. i'm not a fool, and i haven't opened any of the SoBiG attachments on any of my accounts.

    otherwise, though, both systems are fine.
  3. loveshismac macrumors member

    Nov 21, 2001
    Your mac is not affected
    just your inbox

    the worm will not affect your system even if you detach and try to run
    someone with your email address has the worm.

    simple as that

    just because you recieve the emails doesn't mean you have the worm.

    SObig is made to take advantage of the newest flaw found in Winblows, not OS X
    Doesn't mean it could be written to attack us.
  4. idea_hamster macrumors 65816


    Jul 11, 2003
    NYC, or thereabouts
    SoBig is a program that generates infected e-mail and sends it out to addresses stored in lots of places on your computer -- not just the address book, but also on cached web pages, etc.

    If your e-mail address is caught up in this, you'll get infected e-mail. However, it's my understanding that the virus itself can't infect your Mac -- that is, it can't farm you e-mail lists or send itself out or open the spam re-direction back door the way it does on windows machines.

    Now if you have some way to run an .exe or .pif or .scr windows executable on your Mac (Softwindows, VPC, X11-Wine...), then I'm not sure how vulnerable you are.

    Also, I would not recommend actively forwarding these messages to anyone else. Mac, PC or otherwise. You never know what machine someone'll check their e-mail on.
  5. TEG macrumors 604


    Jan 21, 2002
    Langley, Washington
    You are still running A M$ program... sobig will affect any M$ program, because they are all written with a similar code base.

    I have a Yahoo account, that I always check online. Well I've recieved several Postman returns of messages sent from my account, however from my former e-mail address.

    Just so you understand (And because I don't care)

    teg@geocities - is my former pre-yahoo address (Still works though) - my post yahoo address. is the account sending messages, however I have no way to send from that account.

  6. Powerbook G5 macrumors 68040

    Powerbook G5

    Jun 23, 2003
    St Augustine, FL
    Yeah, just because you get emails as a result does not mean you are being attacked by a's just a Microsoft thing and the result is a slight annoyance with the emails.
  7. caveman_uk Guest


    Feb 17, 2003
    Hitchin, Herts, UK
    Wrong. The worm is an x86 executable with it's own built-in smtp server. It will not and cannot run on a mac. Not unless you use outlook in virtual PC. Just because you can run an MS program on both platforms doesn't mean they are the same code. The source code may indeed have huge shared chunks but it's compiled for PowerPC on macs and x86 on PCs. If Sobig can run on PowerPCs as you are suggesting then OS X should run on x86 PCs - which it doesn't.

    The reason people have virus emails in there inboxs is because the virus sent them it from someone elses PC. That's all. It will not infect your mac as it cannot run. If you want to infect someone else you'll have to forward it yourself to a PC user.
  8. 13erla thread starter macrumors newbie

    Mar 7, 2003
    Midwest, USA
    let me clarify,

    the worm/virus whatever IS sending out emails.

    they are not JUST in the inbox... the virus IS sending out copies of itself.

    they are in the outbox. so like i said, this IS infecting Mac users as well as windows users.
  9. Mal macrumors 603


    Jan 6, 2002
    The main reason you'll get emails back like that is because Sobig uses a different email address as the sending address than the one on your machine. If someone who has you in their address book gets the virus/worm whatever it is, then you could potentially be listed as the sender of the email without ever even opening the email. I know this from experience, because I received an email with the virus in it and an email back from a friends spam/virus blocker saying that it had blocked my infected email, even though I had deleted the email without opening it. Don't worry about it for yourself, but make sure that anyone who might have sent it on knows that they could be infected.

  10. mim macrumors 6502

    Apr 24, 2003
    flesh, melbourne.... heart, london
    Another Voice of Reason

    Caveman is right.

    It's an important issue, so I'll sum up.

    The virus only effects Windows x86 boxes.

    It distributes itself by email (and seems to spoof the 'from' address from things I've been seeing recently).

    The email contains an older type of Windows excecutable file. You need to run it to get infected.

    Even if you run it from your Mac, you will NOT get infected, and it will NOT sent itself to people in your address book.

    So you are just fine, and have not been infected. You should also ask your ISP (or school/work/uni/etc) IT guys if they can block all mail to you conatining attachments with ".exe", ".pif", ".vbs", ".com", and ".bat" atleast. They should have a list from Microsoft of all the 'bad' file types that should be blocked.

    <edited this line to clarify>
    This won't stop you getting infected by a REAL mac virus (as these are all PC only files), but it will stop your inbox filling up with junk.

    Hope that helps.
  11. mim macrumors 6502

    Apr 24, 2003
    flesh, melbourne.... heart, london
    In your outbox?

    Have a look in the "Sent mail" folder and see what's there.
  12. mim macrumors 6502

    Apr 24, 2003
    flesh, melbourne.... heart, london
    Sorry for all the posts in a row....

    Skywalker's explaination is probably what is happening to you. It is possible to 'Spoof' email addresses - both 'to' and 'from'. The mail server will still send it to the right place, but outlook will see the spoofed addresses.

    You may get spam every now and then that doesn't have YOUR address in the 'to' field.

    What could have happened is one of your (pc) friends has the virus. It has scanned their emails for more addresses to send to. It gets your address and sends an email to you, but it spoofs the 'to' field, and puts your name in the 'from' field. That way outlook will just put it straight into your 'Outbox' (I'll have to try this, mind you - I'm just making an educated guess here).

    The only mail that has been sent from your machine will be in the 'Sent mail' folder. The 'Out box' contains emails waiting to be sent.
  13. rainman::|:| macrumors 603


    Feb 2, 2002
    it will not infect your mac.

    it will not propogate from your mac.

  14. Snowy_River macrumors 68030


    Jul 17, 2002
    Corvallis, OR
    If it isn't what mim suggested (Entourage automatically putting these emails into the Outbox, even though they were, in fact, incoming emails) I would guess that your friend is pulling a fast one on you. Even on Windows machines, the SoBig virus doesn't put emails in the outbox, because it has built-in SMTP software. That is to say that it has its own email software built into it.
  15. Rower_CPU Moderator emeritus


    Oct 5, 2001
    San Diego, CA
    I'll pass along my experience with Sobig and our campus network.

    Many staff email addresses were harvested and people are receiving "undeliverable" and virus warning messages to people that they have never sent email to. Some PCs infected with Sobig are the culprits, but everyone REGARDLESS of platform sees these returned emails.

    So, PCs are the only ones directly vulnerable, but everyone is inconvenienced. Add the new IE insecurities to Sobig and MSBlast and you have a very pissed off network security crew.
  16. jbotaf macrumors newbie

    Sep 11, 2003
    I think we are not getting to the bottom of this issue! Can my MAC running Virtual PC 6.1 and Windows XP be infected with the Sobig.f or MSBlaster viruses/worms and propagate from there? As a network administrator trying to clean my local network, can I be assured that after fixing all the PCs on the network (and ignoring the MACs) I will get no re-infestation from the "MACs" -- or that there will be no worms/viruses spreading to other networks from my network?

    In this scenario, can a MAC under special circumstances become a link in the spread of virus/worm infections?
  17. Rower_CPU Moderator emeritus


    Oct 5, 2001
    San Diego, CA
    Well, if you have Windows running in any shape or form (emulated or not) there is the definite chance you can get infected.

    Macs (note the lower case) do not spread the virus. Windows does.
  18. jxyama macrumors 68040


    Apr 3, 2003
    i think it's been stated but this worm work as follows:

    user A gets infected. on A's address book, email addresses for B and C are on it. the virus sends an email from A to C, but spoofing the sender address to make the email look like it was sent from B.

    if C is no longer a valid account, B will get a return message from C's former account stating that the email was not delivered even though B himself never sent C an email. in fact, B may not even know who C is.

    if C's computer is monitored and the virus is caught, a warning is sent to B, telling him that the email sent was infected. again, B has no clue why he got the email.

    notice that the platform doesn't come into play. you can get these effects of the virus regardless of whether you are running Windows, linux, unix, Mac or whatever else...

    i don't know about virtual PC. i imagine if you run a virtual PC and within it, execute the virus, you'd get infected.
  19. Schiffi macrumors 6502a


    May 22, 2003
    Again, why would anyone check thier mail in VPC?
  20. Horrortaxi macrumors 68020


    Jul 6, 2003
    Los Angeles
    VPC still has to go through the OS X firewall to use the internet, so unwanted traffic can still be blocked. Other than that, an unprotected VPC is the same as an unprotected PC. I wouldn't want to spread a virus with my VPC, but if I got one that did funky things I wouldn't mind too much. Having VPC is kind of like having an ant farm--just sit back and observe. No matter what happens, you're still okay.

Share This Page