Sobig.f prevention and cure

Sobig.f (w32.sobig.f@mm) spreads via e-mail and shared network files and could slow e-mail servers with excessive traffic, so it rates a 7 on the ZDNet Virus Meter.

This worm affects only Windows computers, not Mac, Linux, or Unix systems. Like its siblings, Sobig.f has a built-in termination date, September 10, 2003, and can attempt to retrieve, download, and finally execute a Trojan to steal credit card numbers and other personal account information. But Sobig.f differs in that it appends garbage characters to the end of the infected file, making it harder for antivirus products to recognize Sobig.f.

How it works
Sobig.f arrives as an e-mail with the following characteristics:

The From and To addresses are collected from infected PCs, from files ending with the extensions .dbx, .eml, .htm, .html, .txt, and .wab.

The Sobig.f subject line reads:

• Re: Details
  
• Re: Approved
  
• Re: Re: My details
  
• Re: Thank you!
  
• Re: That movie
  
• Re: Wicked screensaver
  
• Re: Your application
  
• Thank you!
  
• Your details
  

Its body text reads:

• See the attached file for details
  
• Please see the attached file for details.
  

The file attached to Sobig.f is:

• application.pif
  
• details.pif
  
• document_9446.pif
  
• document_all.pif
  
• movie0045.pif
  
• thank_you.pif
  
• your_details.pif
  
• your_document.pif
  
• wicked_scr.scr
  

When executed, the worm will add the following to the system registry:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc

Prevention
In general, do not open e-mail attachments without first saving them to hard disk and scanning them with updated antivirus software. If you do not have automatic antivirus signature file updates, contact your antivirus vendor to obtain the most-current antivirus signature files that include Sobig.f.

Removal
Most antivirus-software companies have updated their signature files to include this worm. The updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Panda, Sophos, Symantec, and Trend Micro.

• Related stories

• Alerts

Add your opinion

Bad news is that it seems to b ...Anonymous -- 22/08/03

Bad news is that it seems to be active on my Macintosh using the Apple mail client and OSX 10.2.6

• Reply to comment
• Reply to story
• Report offensive content

We have 4 computers running No ...Anonymous -- 23/08/03

We have 4 computers running Norton's Live Update all the time. We also ran the Update again this morning and then ran VirusScan on all 4 computers without a virus being detected on any computer. Since we have the latest update from Symantec, we should be okay.

• Reply to comment
• Reply to story
• Report offensive content

I have Norton antivirus quaran ...Anonymous -- 24/08/03

I have Norton antivirus quarantining each e mail infected with sobig.F.But I keep getting more infected e mails from and
Is there a way tostop these e mails?

• Reply to comment
• Reply to story
• Report offensive content

Stop is as soon as possible. P ...Fredrik Lindfeldt -- 29/08/03

Stop is as soon as possible.

Postfix solution:
http://xgn.nu/sobig_f_postfix.html

• Reply to comment
• Reply to story
• Report offensive content

Oddly enough, I received " ...Anonymous -- 25/09/03

Oddly enough, I received "sobig" types of messages, as well as messages from ISPs reporting virus-laden messages sent by my computer, over about a 4-day period from roughly 8/18 to 8/21. Maybe 200-250 messages altogether. The odd thing is that I am runninng mac OS 10.2, using Entourage for most of my e-mail. I have read that mac systems are immune to this virus, and yet there it was. Was it because I was using Microsoft email software? The other odd component is that the problem stopped all by itself on about 8/21. I didn't do a thing.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials