Sobig.F prevention and cure
Published: 20 Aug 2003 09:25 BST
Sobig.F (w32.sobig.f@mm) spreads via email and shared network files and could slow email servers with excessive traffic, so it rates a 7 on the ZDNet Virus Meter.
This worm affects only Windows computers, not Mac, Linux, or Unix systems. Like its siblings, Sobig.F has a built-in termination date, 10 September, 2003, and can attempt to retrieve, download, and finally execute a Trojan to steal credit card numbers and other personal account information. But Sobig.F differs in that it appends garbage characters to the end of the infected file, making it harder for antivirus products to recognise Sobig.F.
How it works
Sobig.F arrives as an email with the following characteristics:
The From and To addresses are collected from infected PCs, from files ending with the extensions .dbx, .eml, .htm, .html, .txt, and .wab.
The Sobig.F subject line reads:
- Re: Details
- Re: Approved
- Re: Re: My details
- Re: Thank you!
- Re: That movie
- Re: Wicked screensaver
- Re: Your application
- Thank you!
- Your details
Its body text reads:
- See the attached file for details
- Please see the attached file for details.
The file attached to Sobig.F is:
- application.pif
- details.pif
- document_9446.pif
- document_all.pif
- movie0045.pif
- thank_you.pif
- your_details.pif
- your_document.pif
- wicked_scr.scr
When executed, the worm will add the following to the system registry:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
Prevention
In general, do not open email attachments without first saving them to hard disk and scanning them with updated antivirus software. If you do not have automatic antivirus signature file updates, contact your antivirus vendor to obtain the most-current antivirus signature files that include Sobig.F.
Removal Most antivirus-software companies have updated their signature files to include this worm. The updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Panda, Sophos, Symantec, and Trend Micro.
Did you find this article useful?
72 out of 183 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
29 comments
-
We Silver Surfers haven't a clue what you are talk... Anonymous -
I still get emails from postmaster like everytime... salah
-
I have a new computer with windows xp, today I was... Anonymous
-
I found over 140 e-mails from Sobig in my in-tray... Anonymous
-
We were completely unaffected byt the Sobig virus.... Anonymous
-
Contrary to your report, my Mac is infected with t... Anonymous
-
Yes, get Norton Anti-Virus and make sure you have... Edward Lanigan
-
Sounds like you work for them. Or are you on comm... Kev
-
I'd just stay away from all attachements, and dele... Takanuva
-
as long as u realise that aol technical support is... pixie
-
if you have an attachement in an email from someon... mark
-
I have a mac system and I opened this Re:thank you... Kimberly Posten
-
hi i have had this for a few day xp has an anti vi... david evans
-
I am working with Linux but I have an email accoun... Boris Hennig
-
Was Sent Email to today. with RE Thankyou but did... Andy
-
having been on the internet for 6 years now and no... 228
-
If you're on a Mac, you cannot be infected. But if... Anonymous
-
My suggestion as an IT Manager is to configure you... Chris Tate-Davies
-
If you don't know yet that your pc is infected and... Me
-
this sobig virus poses a worldwide threat to every... Anonymous
-
Avoid Norton AV, McAfee, and F-Protect. They all... TheTrout
-
I have stopped the postmasters by setting up the e... Anonymous
-
Macs' were affected to by this worm. But I can't... Erik Yap
-
So easy to prevent all these viruses go to www.gri... David
-
I have yahoo mail and have been getting slammed w/... Anonymous
-
i use a web based e-mail account and that has been... carl murray
-
KEV - TECHIE ,I HAVE JUST GOT NEW COMPUTER WITH WI... GAYNOR
-
i had norton virus & utilitys they are just quick... Anonymous
-
After being virused earlier this year by the Sobig... Mark
