Threat Descriptions

Worm:W32/Sobig.F

Classification

Category :

Malware

Type :

Worm

Platform :

W32

Aliases :

Worm:W32/Sobig.F

Summary

A new variant of Worm:W32/Sobig, known as Sobig.F was first found on August 19th, 2003 and it is spreading in the wild.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The executable has a size of around 70KB and it is packed with TELock. It has its own SMTP engine, apart from routines to query directly DNS servers and make requests using the Network Time Protocol.

The worm also has updating capabilities. It will attempt to download updated versions when certain conditions are met. The worm will stop spreading on 10th of September 2003. From this date onwards the worm will exit immediately when executed.

Infection

It will install itself into:

  • %windir%\winppr32.exe

Proceeding then to add the following keys to the Windows Registry:

  • [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc

So it starts when Windows does.

Mail spreading

The worm usually arrives in emails with the following characteristics:

From:The 'From:' field is filled with an address found from the infected system. If no address is found, it will use "admin@internet.com"

To:

The 'To:' field is filled with an address found from the infected system.

Subject:

Any from the following list:

  • Re: Thank you!
  • Thank you!
  • Your details
  • Re: Details
  • Re: Re: My details
  • Re: Approved
  • Re: Your application
  • Re: Wicked screensaver
  • Re: That movie

Body:

It chooses one from the two following lines:

  • See the attached file for details
  • Please see the attached file for details.

Attachment name:

The name is selected from the following list:

  • your_document.pif
  • document_all.pif
  • thank_you.pif
  • your_details.pif
  • details.pif
  • document_9446.pif
  • application.pif
  • wicked_scr.scr