A new variant of Worm:W32/Sobig, known as Sobig.F was first found on August 19th, 2003 and it is spreading in the wild.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
The executable has a size of around 70KB and it is packed with TELock. It has its own SMTP engine, apart from routines to query directly DNS servers and make requests using the Network Time Protocol.
The worm also has updating capabilities. It will attempt to download updated versions when certain conditions are met. The worm will stop spreading on 10th of September 2003. From this date onwards the worm will exit immediately when executed.
It will install itself into:
Proceeding then to add the following keys to the Windows Registry:
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
So it starts when Windows does.
The worm usually arrives in e-mails with the following characteristics:
From:The 'From:' field is filled with an address found from the infected system. If no address is found, it will use "firstname.lastname@example.org"
The 'To:' field is filled with an address found from the infected system.
Any from the following list:
- Re: Thank you!
- Thank you!
- Your details
- Re: Details
- Re: Re: My details
- Re: Approved
- Re: Your application
- Re: Wicked screensaver
- Re: That movie
It chooses one from the two following lines:
- See the attached file for details
- Please see the attached file for details.
The name is selected from the following list: