Experts Warn Sobig Worm Still Dangerous

Dec. 17, 2003 -- First discovered in August 2003, mass-mailing worm W32/Sobig.F-mm caused a lot of grief in a short amount of time, and is still in the top 10 viruses plaguing users.

W32/Sobig.F-mm was supposed to terminate its propagation on Sept. 10 and was downgraded in threat level by several antivirus companies. Though "deactivated", it is still listed as one of the top infectors, and it is attributed with spreading spam across the Internet. After the deactivation date, it can still be used to propagate spam and update itself, making it important to remove the infection.

One of the fastest moving viruses, Sobig.F usually spreads as an e-mail attachment (usually a PIF or SCR file), though it also attempts to spread through network shares, leaving open the possibility of re-infection even if the original infected machines have been cleaned. For a user to catch Sobig.F, they must run or view the e-mail attachment. Once running, Sobig.F will send copies of itself out using its own SMTP engine to addresses harvested from text, database, html and e-mail files on the victim's machine. The virus also uses the harvested addresses to spoof the "From" field to disguise the origin of the e-mail. This feature caused major headaches, as many innocent users were being blamed for sending out infected traffic, and the bounced back e-mail in itself clogged the Internet.

Once running, the virus will attempt get the current date and time through one of several Network Timer Protocol (NTP) servers. If the time is between 19:00 and 22:00 Universal Time Code (UTC) or 8 p.m. and 11 p.m. UK time, on a Friday or Sunday, it sends a UDP packet to a remote server on port 8998. It is suspected that it is being used to download an update file, which is a behavior shown by earlier versions of Sobig. Blocking outgoing UDP connections on port 8998 with a firewall is recommended as a workaround for this feature.

Automatic Spam Distributor

When a user runs an infected attachment, Sobig creates a copy of itself called winppr32.exe in the Windows folder (C:\Windows or C:\Winnt). It then adds the value "TrayX"="%Windir%\winppr32.exe /sinc" to the following registry keys, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. This means that the virus will run when the machine is booted. Sobig also creates a file called winstt32.dat in the Windows folder (%windir% is the Windows folder as noted above), which is used to store e-mail addresses gathered from the victim's machine.

The virus will also look for any accessible network shares for which the PC has write access. Symantec reports though that due to a bug in the code, Sobig cannot copy over network shares. Sobig.F can download arbitrary files from server addresses stored in the virus, and execute them. Also according to the Symantec, "The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers." This is in line with ThreatFocus's estimate that over 50 percent of the spam on the Web comes from Sobig infected zombie computers. It is suspected that Sobig.F attempts to contact a master server that its author controls and downloads a URL where it goes to download a Trojan to run on the local PC.

Fact File

Name: W32/Sobig.F-mm, W32/Sobig.F@mm, Sobig.F, Worm-Sobig.F, Win32.Sobig.F Type: Windows 32bit Virus/worm Affected Systems: Windows 95/98/ME, Windows NT, Windows 2000, Windows XP Non-affected systems: Windows 3.x, Linux, Unix, OS/2, Mac Files created:winppr32.exe, winstt32.dat E-mail from field: varies, may be from admin@internet.com or Spoofed with harvested e-mail addresses E-mail Subject field: varies Body of e-mail: varies Attachment: varies

Click here for detailed instructions to remove Sobig.