Experts Warn Sobig Worm Still Dangerous

Dec. 17 -- First discovered in August 2003, mass-mailing worm W32/Sobig.F-mm caused a lot of grief in a short amount of time, and is still in the top 10 viruses plaguing users.

W32/Sobig.F-mm was supposed to terminate its propagation on Sept. 10 and was downgraded in threat level by several antivirus companies. Though "deactivated", it is still listed as one of the top infectors, and it is attributed with spreading spam across the Internet. After the deactivation date, it can still be used to propagate spam and update itself, making it important to remove the infection.

One of the fastest moving viruses, Sobig.F usually spreads as an e-mail attachment (usually a PIF or SCR file), though it also attempts to spread through network shares, leaving open the possibility of re-infection even if the original infected machines have been cleaned. For a user to catch Sobig.F, they must run or view the e-mail attachment. Once running, Sobig.F will send copies of itself out using its own SMTP engine to addresses harvested from text, database, html and e-mail files on the victim's machine. The virus also uses the harvested addresses to spoof the "From" field to disguise the origin of the e-mail. This feature caused major headaches, as many innocent users were being blamed for sending out infected traffic, and the bounced back e-mail in itself clogged the Internet.

Once running, the virus will attempt get the current date and time through one of several Network Timer Protocol (NTP) servers. If the time is between 19:00 and 22:00 Universal Time Code (UTC) or 8 p.m. and 11 p.m. UK time, on a Friday or Sunday, it sends a UDP packet to a remote server on port 8998. It is suspected that it is being used to download an update file, which is a behavior shown by earlier versions of Sobig. Blocking outgoing UDP connections on port 8998 with a firewall is recommended as a workaround for this feature.

Popular Reads

Iran live updates: US strikes Iranian radar sites after drones fired toward strait

• Jun 5, 1:38 PM

18-year-old killed, 3 wounded in high school graduation shooting

• Jun 4, 2:10 PM

US conducts 'self-defense' strikes in Iran

• May 31, 11:54 PM

Automatic Spam Distributor

When a user runs an infected attachment, Sobig creates a copy of itself called winppr32.exe in the Windows folder (C:\Windows or C:\Winnt). It then adds the value "TrayX"="%Windir%\winppr32.exe /sinc" to the following registry keys, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. This means that the virus will run when the machine is booted. Sobig also creates a file called winstt32.dat in the Windows folder (%windir% is the Windows folder as noted above), which is used to store e-mail addresses gathered from the victim's machine.