© Asian Institute of Technology,
P.O. Box 4, Klong Luang,
Pathumthani 12120, Thailand
Tel: (66 2) 524 6082
Email: helpdesk@ait.ac.th

back

  W32/Sobig-F Worm

Aliases
I-Worm.Sobig.f, W32/Sobig.F-mm, W32/Sobig.f@MM, WORM_SOBIG.F

Type
Win32 worm

Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the October 2003 (3.74) release of Sophos Anti-Virus.

Sophos has received many reports of this worm from the wild.

Description
W32/Sobig-F is a worm that spreads via email and network shares.
W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder>\winppr32.exe /sinc
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder<\winppr32.exe /sinc

The worm sends itself, using its own SMTP engine, as an attachment to email addresses collected from various files on the victim's computer. When it distributes itself via email it forges the sender's email address, making it difficult to know who is truly infected.

The email has the following format:

Subject line: Chosen from -

  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Re: Approved
  • Re: Re: My details
  • Re: Details
  • Your details
  • Thank you!

 

Message text: Chosen from -

  • Please see the attached file for details.
  • See the attached file for details

 

Attached file: Chosen from -

  • movie0045.pif
  • wicked_scr.scr
  • application.pif
  • document_9446.pif
  • details.pif
  • your_details.pif
  • thank_you.pif
  • document_all.pif
  • your_document.pif

 

W32/Sobig-F also attempts to spread by copying itself to Windows network shares and uses the Network Time Protocol to one of several servers in order to determine the current date and time. If the date is September 10 2003 or later the worm stops working.

Recovery
W32/Sobig-F can be removed from Windows 95/98/Me/NT/2000/XP computers automatically with RESOLVE.

Either download the RESOLVE W32/Sobig self-extractor and double-click it (the contents will extract to C:\SOPHTEMP)
or send an email to the autoresponder at sobig-request@sophos.com then create a C:\Sophtemp folder and unzip the SOBIG.ZIP file you are sent into this folder

Select Start|Run then type cmd (on Windows 95/98/Me type command) to open a command prompt

Click OK

To remove the worm type
C:\SOPHTEMP\RESOLVE.COM -DF=SOBIG.DAT -NOC and press the Enter key

The above process will remove the infected file from memory, clean the registry and remove the infected file from the system.

You can find detailed instructions on running RESOLVE in the notes enclosed in the self-extractor.

To remove W32/Sobig-F on other platforms please follow the instructions for removing worms.

Removal Tool:
- Removal tool is now available from our AIT-ftp site: ftp://intraweb.ait.ac.th/anti-virus/sobigsfx.exe