The Sobig Worm - W32/Sobig-F

This new worm is a variant of the already well known "Sobig Worm" It is a Mass Mailing worm and is spreading fast...

Basically once infected it will look for documents on your PC that have the following extensions :

• .dbx
• .eml
• .hlp
• .htm
• .html
• .mht
• .wab
• .txt

When it finds them it searches for any email addresses contained in them and then seeks to send out an email with the worm attached to these addresses. And the email looks like YOU have sent it personally! (or in some circumstances it will fake an address...)

Standard Sobig worm (W32/Sobig-F) Characteristics

Like previous versions of the sobig worm, there are some standard characteristics that you can look out for:

The Subject Line Contains One Of The Following:

• Re: Details

• Re: Approved

• Re: Re: My details

• Re: Thank you!

• Re: That movie

• Re: Wicked screensaver

• Re: Your application

• Thank you!

• Your details

The Body Of The Email Contains:

• See the attached file for details

• Please see the attached file for details.

The Email Attachment Is (obviously do NOT open it):

• application.zip (contains application.pif)

• details.zip (contains details.pif)

• document_9446.zip (contains document_9446.pif)

• document_all.zip (contains document_all.pif)

• movie0045.zip (contains movie0045.pif)

• thank_you.zip (contains thank_you.pif)

• your_details.zip (contains your_details.pif)

• your_document.zip (contains your_document.pif)

• wicked_scr.zip (contains wicked_scr.scr)

PLEASE note that this virus can ALSO spread via network shares too....

How Do I know I Have Been Infected  With 
The Sobig worm (W32/Sobig-F)

1) The worm copies itself as: 

C:\Windows\winppr32.exe

or 

C:\Winnt\winppr32.exe

depending on which operating system you are using!

2) It will also place itself in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

By placing itself in this part of the registry it will start the worm EVERY time you start Windows...

Does This Sobig worm (W32/Sobig-F) Do Anything Nasty?

Yes it can...

Basically the worm has been designed so that it can download files to the infected computer and execute them! This is a deliberate attempt by the creator of the worm to steal files and data from YOUR machine....

It is ALSO designed to use infected machines to relay this SPAM around the Internet... The Sobig worm effectively makes your infected computer into an "email server"

What Do I Do Now?

If you have been infected then go to the website of your Antivirus software company and:

1) Follow their instructions on how to temporarily turn off System Restore.. 

2) Download the latest virus definition for the new Sobig worm (W32/Sobig-F)..

3) Follow their instructions on how to STOP the Trojan process.. 

4) Follow their instructions on how to scan your system and delete the Sobig worm..

---

Or you could try the sobig worm removal tool from Sophos.

If you DO NOT have an anti virus running on your PC the get one now!

Even the FREE Antivirus software from www.grisoft.com is good enough for Windows XP users..

I hope this article helps YOU!

Regards

Marc Liron
marc@updatexp.com

Been Hit By The Blaster Worm?

---

Need MORE info on Windows XP?

Then YOU need this Newsletter...

• Windows XP News
• Windows XP Tips & Scams
• Patch Update News
• Info on Internet Explorer and Outlook Express
• Windows Media Player Plugin Reviews...!
• And so much more......
  

Windows XP Articles
 

• SPAM - Messenger Service Spam - FIX
  FREE Windows XP Tip for getting rid of this annoying Spam! Print it or Download the media file which talks you through it!
   
• Problem Installing Patches? "Cryptographic Service Error"
  A Great article explaining the Cryptographic Service Error message in Windows XP!
   
• Windows Media Player 9 - Review Article
  Windows Media Player 9 has some GREAT improvements over previous versions - Find Out More...
   

Home Page | Privacy Policy | Windows XP Tips | About Me

This article is on the sobig worm (W32/Sobig-F)...