ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Security management Toolkit

Sobig.F prevention and cure

Robert Lemosi ZDNet

Published: 20 Aug 2003 09:25 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Sobig.F (w32.sobig.f@mm) spreads via email and shared network files and could slow email servers with excessive traffic, so it rates a 7 on the ZDNet Virus Meter.

This worm affects only Windows computers, not Mac, Linux, or Unix systems. Like its siblings, Sobig.F has a built-in termination date, 10 September, 2003, and can attempt to retrieve, download, and finally execute a Trojan to steal credit card numbers and other personal account information. But Sobig.F differs in that it appends garbage characters to the end of the infected file, making it harder for antivirus products to recognise Sobig.F.

How it works
Sobig.F arrives as an email with the following characteristics: The From and To addresses are collected from infected PCs, from files ending with the extensions .dbx, .eml, .htm, .html, .txt, and .wab.

The Sobig.F subject line reads:

  • Re: Details
  • Re: Approved
  • Re: Re: My details
  • Re: Thank you!
  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Thank you!
  • Your details

Its body text reads:

  • See the attached file for details
  • Please see the attached file for details.

The file attached to Sobig.F is:

  • application.pif
  • details.pif
  • document_9446.pif
  • document_all.pif
  • movie0045.pif
  • thank_you.pif
  • your_details.pif
  • your_document.pif
  • wicked_scr.scr

When executed, the worm will add the following to the system registry:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc

Prevention
In general, do not open email attachments without first saving them to hard disk and scanning them with updated antivirus software. If you do not have automatic antivirus signature file updates, contact your antivirus vendor to obtain the most-current antivirus signature files that include Sobig.F.

Removal Most antivirus-software companies have updated their signature files to include this worm. The updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Panda, Sophos, Symantec, and Trend Micro.

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Did you find this article useful?
72 out of 183 people found this useful


Talkback

Post a comment


Full Talkback thread

29 comments

  1. We Silver Surfers haven't a clue what you are talk... Anonymous
  2. I still get emails from postmaster like everytime... salah
  3. I have a new computer with windows xp, today I was... Anonymous
  4. I found over 140 e-mails from Sobig in my in-tray... Anonymous
  5. We were completely unaffected byt the Sobig virus.... Anonymous
  6. Contrary to your report, my Mac is infected with t... Anonymous
  7. Yes, get Norton Anti-Virus and make sure you have... Edward Lanigan
  8. Sounds like you work for them. Or are you on comm... Kev
  9. I'd just stay away from all attachements, and dele... Takanuva
  10. as long as u realise that aol technical support is... pixie
  11. if you have an attachement in an email from someon... mark
  12. I have a mac system and I opened this Re:thank you... Kimberly Posten
  13. hi i have had this for a few day xp has an anti vi... david evans
  14. I am working with Linux but I have an email accoun... Boris Hennig
  15. Was Sent Email to today. with RE Thankyou but did... Andy
  16. having been on the internet for 6 years now and no... 228
  17. If you're on a Mac, you cannot be infected. But if... Anonymous
  18. My suggestion as an IT Manager is to configure you... Chris Tate-Davies
  19. If you don't know yet that your pc is infected and... Me
  20. this sobig virus poses a worldwide threat to every... Anonymous
  21. Avoid Norton AV, McAfee, and F-Protect. They all... TheTrout
  22. I have stopped the postmasters by setting up the e... Anonymous
  23. Macs' were affected to by this worm. But I can't... Erik Yap
  24. So easy to prevent all these viruses go to www.gri... David
  25. I have yahoo mail and have been getting slammed w/... Anonymous
  26. i use a web based e-mail account and that has been... carl murray
  27. KEV - TECHIE ,I HAVE JUST GOT NEW COMPUTER WITH WI... GAYNOR
  28. i had norton virus & utilitys they are just quick... Anonymous
  29. After being virused earlier this year by the Sobig... Mark

Related Links

More In Security management



Company/Topic Alerts

Create a new alert from the list below:



Sentry Posts Blog

Nasa and the virus

Yesterday the BBC ran a story about a computer virus making it into orbit, which I read with incredulity. OK, it's a nice silly season story on the surface, but what really got me was... More

3 comments

Customer data found on eBay server hig...

The recent news about customer details being retrieved from a server sold on eBay is yet another story about the sorry state of information security in the electronic age (see: http://news.zdnet.co.uk/...m).... More

Post a comment

Does it matter if you are an aardvark...

In spam terms, apparently it does. According to Cambridge University security expert Richard Clayton, if your email address is aardvark at animal.net, you are more likely to receive... More

1 comment

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.

By: RonaldWilkins

Read full story:
Deloitte: People are still weakest security link

DOWNLOAD

Security Essentials

Security Downloads

There are masses of security suites out there for small businesses. Here's a selection to get you started

Editor’s Rating
1 Norton 360™
2 AVG Anti-Virus Free Edition Rating: 10
3 PC Tools AntiVirus Free Edition
4 Kaspersky Internet Security

See All Software

In association with Symantec