ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security management Toolkit

Sobig.F prevention and cure

Robert Lemosi ZDNet

Published: 20 Aug 2003 09:25 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Sobig.F (w32.sobig.f@mm) spreads via email and shared network files and could slow email servers with excessive traffic, so it rates a 7 on the ZDNet Virus Meter.

This worm affects only Windows computers, not Mac, Linux, or Unix systems. Like its siblings, Sobig.F has a built-in termination date, 10 September, 2003, and can attempt to retrieve, download, and finally execute a Trojan to steal credit card numbers and other personal account information. But Sobig.F differs in that it appends garbage characters to the end of the infected file, making it harder for antivirus products to recognise Sobig.F.

How it works
Sobig.F arrives as an email with the following characteristics: The From and To addresses are collected from infected PCs, from files ending with the extensions .dbx, .eml, .htm, .html, .txt, and .wab.

The Sobig.F subject line reads:

  • Re: Details
  • Re: Approved
  • Re: Re: My details
  • Re: Thank you!
  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Thank you!
  • Your details

Its body text reads:

  • See the attached file for details
  • Please see the attached file for details.

The file attached to Sobig.F is:

  • application.pif
  • details.pif
  • document_9446.pif
  • document_all.pif
  • movie0045.pif
  • thank_you.pif
  • your_details.pif
  • your_document.pif
  • wicked_scr.scr

When executed, the worm will add the following to the system registry:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc

Prevention
In general, do not open email attachments without first saving them to hard disk and scanning them with updated antivirus software. If you do not have automatic antivirus signature file updates, contact your antivirus vendor to obtain the most-current antivirus signature files that include Sobig.F.

Removal Most antivirus-software companies have updated their signature files to include this worm. The updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Panda, Sophos, Symantec, and Trend Micro.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Kyocera

Did you find this article useful?
72 out of 183 people found this useful


Talkback

Post a comment


Full Talkback thread

29 comments

  1. We Silver Surfers haven't a clue what you are talk... Anonymous
  2. I still get emails from postmaster like everytime... salah
  3. I have a new computer with windows xp, today I was... Anonymous
  4. I found over 140 e-mails from Sobig in my in-tray... Anonymous
  5. We were completely unaffected byt the Sobig virus.... Anonymous
  6. Contrary to your report, my Mac is infected with t... Anonymous
  7. Yes, get Norton Anti-Virus and make sure you have... Edward Lanigan
  8. Sounds like you work for them. Or are you on comm... Kev
  9. I'd just stay away from all attachements, and dele... Takanuva
  10. as long as u realise that aol technical support is... pixie
  11. if you have an attachement in an email from someon... mark
  12. I have a mac system and I opened this Re:thank you... Kimberly Posten
  13. hi i have had this for a few day xp has an anti vi... david evans
  14. I am working with Linux but I have an email accoun... Boris Hennig
  15. Was Sent Email to today. with RE Thankyou but did... Andy
  16. having been on the internet for 6 years now and no... 228
  17. If you're on a Mac, you cannot be infected. But if... Anonymous
  18. My suggestion as an IT Manager is to configure you... Chris Tate-Davies
  19. If you don't know yet that your pc is infected and... Me
  20. this sobig virus poses a worldwide threat to every... Anonymous
  21. Avoid Norton AV, McAfee, and F-Protect. They all... TheTrout
  22. I have stopped the postmasters by setting up the e... Anonymous
  23. Macs' were affected to by this worm. But I can't... Erik Yap
  24. So easy to prevent all these viruses go to www.gri... David
  25. I have yahoo mail and have been getting slammed w/... Anonymous
  26. i use a web based e-mail account and that has been... carl murray
  27. KEV - TECHIE ,I HAVE JUST GOT NEW COMPUTER WITH WI... GAYNOR
  28. i had norton virus & utilitys they are just quick... Anonymous
  29. After being virused earlier this year by the Sobig... Mark

Related Links

More In Security management


Company/Topic Alerts

Create a new alert from the list below:



Related Jobs

C#/ASP.NET Developers - Microsoft Gold Partner - Learn Sharepoint

For immediate consideration please respond today with your updated CV and contact details. We are looking for talented .NET developers who would like ...

C# developer for fanancial contract in Newcastle

Skills required C# ASP.NET PL-SQL .NET 2.0 Desired Skills Previous financial industry experience For more details about this role please apply with ...

Excellent senior c# developer opportunity - 40 000 - Manchester

You will be rewarded with an excellent salary of circa 40 000 + excellent benefits To apply and for full details send an updated CV for immediate ...

Sentry Posts Blog

Mobile Speed Demon: Wireless Surpasses...

Mobile Speed Demon: Wireless Surpasses Landline Author: Eric Everson, Founder MyMobiSafe.com As I look around my house and throughout my network of friends, I instantly realize... More

Post a comment

Why do you need Portable password mana...

There are much more than 5, but I will start with these main points: 1. You are human... never mind, no one is perfect. 2. We live in modern world with its cons and pros 3. We... More

Post a comment

The GoDaddy saga continues...

I've been trying to sort out an incident with registrar GoDaddy since last week. I blogged on Tuesday and Thursday about the situation, but in a nutshell I found out that I was registered... More

1 comment

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.

By: RonaldWilkins

Read full story:
Deloitte: People are still weakest security link

DOWNLOAD

Security Essentials

Security Downloads

There are masses of security suites out there for small businesses. Here's a selection to get you started

Editor’s Rating
1 Norton 360™
2 AVG Anti-Virus Free Edition Rating: 10
3 PC Tools AntiVirus Free Edition
4 Kaspersky Internet Security

See All Software

In association with Symantec