Sobig.F prevention and cure

A new variant of the Sobig virus, which caused chaos earlier this year, is spreading worldwide
Written by Robert Lemos, Contributor
Sobig.F (w32.sobig.f@mm) spreads via email and shared network files and could slow email servers with excessive traffic, so it rates a 7 on the ZDNet Virus Meter.

This worm affects only Windows computers, not Mac, Linux, or Unix systems. Like its siblings, Sobig.F has a built-in termination date, 10 September, 2003, and can attempt to retrieve, download, and finally execute a Trojan to steal credit card numbers and other personal account information. But Sobig.F differs in that it appends garbage characters to the end of the infected file, making it harder for antivirus products to recognise Sobig.F.

How it works
Sobig.F arrives as an email with the following characteristics: The From and To addresses are collected from infected PCs, from files ending with the extensions .dbx, .eml, .htm, .html, .txt, and .wab.

The Sobig.F subject line reads:

  • Re: Details
  • Re: Approved
  • Re: Re: My details
  • Re: Thank you!
  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Thank you!
  • Your details

Its body text reads:

  • See the attached file for details
  • Please see the attached file for details.
The file attached to Sobig.F is:
  • application.pif
  • details.pif
  • document_9446.pif
  • document_all.pif
  • movie0045.pif
  • thank_you.pif
  • your_details.pif
  • your_document.pif
  • wicked_scr.scr

When executed, the worm will add the following to the system registry:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc

In general, do not open email attachments without first saving them to hard disk and scanning them with updated antivirus software. If you do not have automatic antivirus signature file updates, contact your antivirus vendor to obtain the most-current antivirus signature files that include Sobig.F.

Removal Most antivirus-software companies have updated their signature files to include this worm. The updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Panda, Sophos, Symantec, and Trend Micro.

Editorial standards