Sobig.F prevention and cure

Sobig.F prevention and cure

Summary: A new variant of the Sobig virus, which caused chaos earlier this year, is spreading worldwide

TOPICS: Security
Sobig.F (w32.sobig.f@mm) spreads via email and shared network files and could slow email servers with excessive traffic, so it rates a 7 on the ZDNet Virus Meter.

This worm affects only Windows computers, not Mac, Linux, or Unix systems. Like its siblings, Sobig.F has a built-in termination date, 10 September, 2003, and can attempt to retrieve, download, and finally execute a Trojan to steal credit card numbers and other personal account information. But Sobig.F differs in that it appends garbage characters to the end of the infected file, making it harder for antivirus products to recognise Sobig.F.

How it works
Sobig.F arrives as an email with the following characteristics: The From and To addresses are collected from infected PCs, from files ending with the extensions .dbx, .eml, .htm, .html, .txt, and .wab.

The Sobig.F subject line reads:

  • Re: Details
  • Re: Approved
  • Re: Re: My details
  • Re: Thank you!
  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Thank you!
  • Your details

Its body text reads:

  • See the attached file for details
  • Please see the attached file for details.
The file attached to Sobig.F is:
  • application.pif
  • details.pif
  • document_9446.pif
  • document_all.pif
  • movie0045.pif
  • thank_you.pif
  • your_details.pif
  • your_document.pif
  • wicked_scr.scr

When executed, the worm will add the following to the system registry:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc

In general, do not open email attachments without first saving them to hard disk and scanning them with updated antivirus software. If you do not have automatic antivirus signature file updates, contact your antivirus vendor to obtain the most-current antivirus signature files that include Sobig.F.

Removal Most antivirus-software companies have updated their signature files to include this worm. The updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Panda, Sophos, Symantec, and Trend Micro.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • We Silver Surfers haven't a clue what you are talking about! We rely on Norton Antivirus at $38.00 a year (real money
  • I still get emails from postmaster like everytime I check my email at yahoo saying that a message containing a virus was intercepted. I am kinda of paranoid that this worm is sending emails to emails in my address book.

    is there a way to stop these emails from coming to my inbox??
  • I have a new computer with windows xp, today I was sent around 40 e-mails with th`re-details` and `wicked screensaver` . I didn't attempt to see any `attatchments` I just opened a few e-mails until I cottoned on.
    Does that mean I have still been infected?
    I don't have any anti-virus programs.
  • I found over 140 e-mails from Sobig in my in-tray this morning. Is there a patch available to deter the virus?
  • We were completely unaffected byt the Sobig virus.

    However, the rapid spread of this virus should be a wakup call to the Internet community. It doesn't take a rocket scientist to prepare for such an outbreak. Keep your virus definitions and patches up-to-date.

    Our company was completely unaffected by the Sobig strain of viruses. We use Merak Mail Server ( ) which has an integrated Antivirus that is capable of scanning 2000+ messages per second.

    In addition, it has what is called an "Active Update" service which ensures that our virus definitions are always up-to-the-minute, up-to-date by queueing our server to download the latest virus definitions the minute it a new definition is released.
  • Contrary to your report, my Mac is infected with this virus. I received 85 messages in less than an hour and several more from other servers asking me to stop sending spam!
  • Yes, get Norton Anti-Virus and make sure you have all of the updates. Also use Aol as your Service Provider they have built in email anti-virus protection.
  • Sounds like you work for them. Or are you on commission?

    My computers also haven't being attacked by a virus. But I don't need any virus software to protect it. Just a proper operating system that doesn't allow them in the first place.
  • I'd just stay away from all attachements, and delete unnnecessary emails til this is over.
  • as long as u realise that aol technical support is pretty useless, and they only work from set scripts then you might feel a little happier............. yes i too use aol :-( though i have to admit i am pretty clued up about pcs)
  • if you have an attachement in an email from someone you dont know, delete it!
    if its from someone you know, email them and ask if they sent it.

  • I have a mac system and I opened this Re:thank you email. it was adressed from a friend!! Ever since my mail box has been full of undeliverable message errors. Everything I have read says it shouldn't effect my system, but there is something weird going on!
  • hi i have had this for a few day xp has an anti virus progrom on one of thier disks norman anti virus load it onto your system and bingo bye bye virus
  • I am working with Linux but I have an email account at Apparently, SoBig.F manages to send mails in my name although I never opened any attachment., and it is Linux anyway. My email is boris.hennig(a); I am getting enough sopam so I didn't want to give the real one in the form :-)
  • Was Sent Email to today. with RE Thankyou but did not open attachment or it did not have one . is it a hoax. Is computer safe I deleted staright away also have norton security but still worried.
  • having been on the internet for 6 years now and not being and adherent of anti-virus software, (i don't use the stuff) here are a few tips that might help home users.

    use a firewall. preferably one that utilizes stateful packet filtering techniques.

    uninstall windows visual basic scripting host.

    check the file attributes for wsock and winsock files in windows directory/s and uncheck the archive box and check the read-only box instead. these files to not have to be written to for the socket to operate properly.

    empty your address books and keep your email addresses in a text file. use copy and paste from the text file to your email client.

    stay apprised of current "threats" and familiarize yourself with pertinent details such as subject lines, file sizes and other information involving current worms, trojans and viruses.

    don't open email from people you don't know.
    treat it the same way you would if it arrived in your snail-mail box. return to sender or delete. definitely do not open attachments forwarded from unknown senders.

    use web based email that provides anti-virus filtering for both inbound and outbound messages.

    learn how to create filters and use them in your email client.

    when using isp-based email, truncate your incoming email to say 2kb. that way you can "look it over" and inspect the headers before downloading the entire contents from your server.

    knowledge only constitutes power when it is put into practical application.
  • If you're on a Mac, you cannot be infected. But if you read the report, you'll see that the virus fakes the sender address when sending out emails. So if a friend of yours has an infected machine, and you're in their address book, you could be the recipient of the bounces and complaints. This is unfortunate, but does NOT mean that your machine is infected.
  • My suggestion as an IT Manager is to configure your Mail Server or email client to remove all attachments that can contain executable instructions, i.e. .EXE .SCR .VBS .COM .BAT .PIF etc

    If you virus scan all the attachments you recieve you should be okay, as long as you keep the definitions up-to-date!

    I have received hundreds of emails this morning (obviously without attachments) and I can see that this is a huge worm!
  • If you don't know yet that your pc is infected and say your anti virus software hasn't picked it up, are there any commands that you can run that will show it is present??
  • this sobig virus poses a worldwide threat to every one, does it affect aircraft as well