F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Sobig.F

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:Sobig.F
ALIAS:W32/Sobig.F@mm

Summary

Sobig.F is a mass-mailer worm which was found in the wild on 19th of August, 2003. This worm sends massive amounts of mail with forged sender information.

The worm contains a payload that activates on Fridays and Sundays when it downloads some program and runs it on the infected computer.

Update on September 10th

F-Secure is downgrading the alert level on Sobig.F since it reached its deadline.

The worm was programmed to stop spreading after September 10th, 2003.

Disinfection

Disinfection Tool

F-Secure provides a special tool to disinfect the Sobig.F worm. The tool and disinfection instructions are available at:

http://www.f-secure.com/tools/f-sobig.zip
http://www.f-secure.com/tools/f-sobig.txt
http://www.f-secure.com/tools/f-sobig.exe
http://www.f-secure.com/tools/f-sobig.jar

You can also download them from our FTP server:

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.txt
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.jar

Back to the Top


Detailed Description

Sobig.F spreads in compressed form, packed with TELock. The unpacked body is around 100 kilobytes in size, which was compiled with Visual C++.

System infection

The worm will install itself into: 

  %windir%\winppr32.exe

Proceeding then to add the following keys to the Windows Registry: 

 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "TrayX" = %windir%\winppr32.exe /sinc


 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "TrayX" = %windir%\winppr32.exe /sinc

So it's started when Windows does.

Deactivation routine

The worm will stop spreading on 10th of September 2003. From this date onwards it will exit immediately when executed.

Mail spreading

Sobig.F usually arrives in e-mails with the following characteristics:

From: 

 The 'From:' field is filled with an address found from the infected system.
 If no address is found, it will use "admin@internet.com"

To: 

 The 'To:' field is filled with an address found from the infected system.

Subject, any from the list: 

 Re: Thank you!
 Thank you!
 Your details
 Re: Details
 Re: Re: My details
 Re: Approved
 Re: Your application
 Re: Wicked screensaver
 Re: That movie

Body, it chooses one from the two following lines: 

 See the attached file for details
 Please see the attached file for details.

Attachment names can be any from: 

 your_document.pif
 document_all.pif
 thank_you.pif
 your_details.pif
 details.pif
 document_9446.pif
 application.pif
 wicked_scr.scr
 movie0045.pif

Sometimes the attachment is missing.

Also, the mail header always contains this string: "X-MailScanner: Found to be clean". Do note that there's an anti-virus product which inserts this header to emails.

Trojan downloader

The worm will also attempt to fetch a URL from where to download components when certain conditions are met. The condition, in this case, is that the time which is obtained from one the NTP servers (which addresses it has hard-coded inside its code) is Friday or Sunday (regardless of the week) between 19:00 and 22:00 UTC time. The worm will perform this test every hour.

When the condition meets, it will attempt to retrieve an URL from a predefined list of 20 master hosts. The content of the URL will be downloaded and executed on the infected machines.

The list of NTP servers, used to coordinate the download of the URL is: (This is not the list of master servers) 

 200.68.60.246
 62.119.40.98
 150.254.183.15
 132.181.12.13
 193.79.237.14
 131.188.3.222
 131.188.3.220
 193.5.216.14
 193.67.79.202
 133.100.11.8
 193.204.114.232
 138.96.64.10
 chronos.cru.fr
 212.242.86.186
 128.233.3.101
 142.3.100.2
 200.19.119.69
 137.92.140.80
 129.132.2.21

Update on the activation: August 22nd, 16:00 UTC

Sobig.F activates on Friday the 22nd of August at 19:00 UTC. For information on this, please see:
http://www.f-secure.com/news/items/news_2003082200.shtml

F-Secure can confirm that 18 of the 20 master servers are currently down or unreachable.

Update on the activation: August 22nd, 17:00 UTC

F-Secure can confirm that 17 of the 20 master servers are currently down. Apparently one of the machines was not disconnected by an ISP and has been booted up by its owner.

We're working together with CERTs, FBI and Microsoft to stop the last three.

Update on the activation: August 22nd, 18:00 UTC

F-Secure can confirm that ALL the master server machines are currently down or unreachable. One of them seems to still respond to PING but not to 8998 UDP.

We have one hour to go to see if this really is the case.

Update on the activation: August 22nd, 18:20 UTC

Unfortunately one server is up right now after all. And one might be enough for the attack to start succesfully.

Update on the activation: August 22nd, 19:00 UTC

When deadline for the attack was passed, one machine was still (somewhat) up. However, immediately after the deadline, this machine (located in the USA) was totally swamped under network traffic.

We've tried connecting to it, just like the virus does. We do this from three different sensors from three different machines in three different countries. We haven't been able to connect to it once. If we can't connect, neither can the viruses.

So the attack failed.

We'll keep monitoring until 22:00 UTC. If we're not able to connect once, we can safely say that the attack was prevented.

Update on the activation: August 24nd, 19:50 UTC

Still not a single connection from any of our sensors to any of the servers.

Update on the activation: August 24nd, 21:30 UTC

Situation is still the same. Things look good.

Update on the activation: August 24nd, 22:00 UTC

The official attack time on Friday has ended. All 20 machines were inaccessible throughout the attack.

Now we are investigating random UDP traffic that has been seen in the net, possibly relating to the worm.

Update on the activation: August 24th, 19:00 UTC

Sobig.F activates on Sunday the 24th of August at 19:00 UTC

Currently all master servers are down, nothing is likely to happen.

Update on the activation: August 24nd, 20:30 UTC

The situation remains the same.

Update on the activation: August 24nd, 22:00 UTC

Nothing happened - the attack failed again.

Update on the activation: August 29th, 19:00 UTC

Sobig.F activates on Friday the 29th of August at 19:00 UTC

All the master servers are down.

Update on the activation: August 29th, 22:20 UTC

All master servers are down. Nothing happened during the three hour period. The attack failed.

Sobig history

The following table shows all the Sobig variants, with their expiration dates and when they were first found in the wild. The "Detection" field refers to when we first had databases which detected the corresponding variant. 

 Variant         Found           Expires         Detection
 _____________________________________________________________
 Sobig.A         January 9th     NO              2003-01-09_04
 Sobig.B         May 18th        May 31st        2003-05-19_03
 Sobig.C         May 31st        June 8th        2003-06-01_01
 Sobig.D         June 18th       July 2nd        2003-06-18_03
 Sobig.E         June 25th       July 14th       2003-06-26_02
 Sobig.F         August 19th     September 10th  2003-08-19_02
 _____________________________________________________________


Back to the Top


Detection

Detection

F-Secure Anti-Virus detects the worm with:

[FSAV_Database_Version]

Version=2003-08-19_02

Back to the Top


Technical Details: Ero Carrera

Description Updated: Veli-Jussi Kesti, Mikko Hypponen, Katrin Tocheva, Gergely Erdelyi

F-Secure Corporation, August 19th - September 10th, 2003