Virus festival?
- Thread starter Kichwas
- Start date
SOBIG.F will spoof email addresses - it will take all the addresses out of an address book and send itself to them but not use the actual sender as the sender line. This means someone who has your address has the virus, and the virus picked your address to send mails. You are likely not infected but someone you know probably is.
The address spoofing part of this virus is the most annoying part. I know that my users are clean, as we filter attachments like this, but we're getting a ton of bounce messages. I sincerely wish the "artist" behind this malicious code had something better to do. If I ever find his or her mailing address, I'm going to send them a coloring book or something.
Ankh-Morpork Guard
First Post
This is definatly the reason I use both web-based e-mail, and a large amount of virus scanning programs. Strangely, I haven't gotten a single e-mail in the past couple of weeks...guess I'm lucky.
This virus is just painful to watch though...my school got hit and I've spent a lot of time fixing stuff there.
This virus is just painful to watch though...my school got hit and I've spent a lot of time fixing stuff there.
Joshua Randall
Legend
My Yahoo e-mail account (that I use for all non-business e-mail) has received, oh, about 500 messages today. I am not exaggerating. At one point my account got full: 4 MB worth of useless e-mail.
I assume that Yahoo already knows about this and is doing something about it....
God I hate the Internet sometimes.
I assume that Yahoo already knows about this and is doing something about it....
God I hate the Internet sometimes.
Psionicist
Explorer
Since yesterday I've recieved no less than 247 new Sobig.F virus e-mails PER HOUR (in average). It is really annoying to delete a thousand e-mails for breakfast. :/
Last edited:
No Outlook = No Virus?
I deleted Outlook Express from my Windows machine a long time ago. Viruses can't hurt you, unless you download and execute them. Outlook is default set up to execute downloaded attachments! Yes, you can "turn it off", but it's DEFAULT!
So Microsoft is targetted. Always will be, until they decide to make security a consideration. The default settings ofr IE are very insecure, too.
By the Bayou... There is the W32Blaster, AND the SoBig.F Virus running around, right now. Blaster should be about done, but SoBig will be with us through September...
===============================
This detection is for a new variant of W32/Sobig. Note: The worm carries garbage data appended to end of file, so exact filesize and file checksum may vary.
Installation
The worm copies itself onto the victim machine as WINPPR32.EXE into %Windir%, for example:
C:\WINNT\WINPPR32.EXE
A configuration file is also dropped to %Windir%:
C:\WINNT\WINSTT32.DAT
The following Registry keys are added to hook system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc
Mail Propagation
The worm mails itself to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files with the following extensions:
DBX
HLP
MHT
WAB
EML
TXT
HTM
HTML
Outgoing messages are constructed as follows:
From: (may be admin@internet.com but could be virtually any address)
Subjects:
Your details
Thank you!
Re: Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
Body:
See the attached file for details
Please see the attached file for details
The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.
The attachment must be run manually to infect the local system. Additionally, messages sent by the virus contain the following fields
X-MailScanner: Found to be clean
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
The virus sends itself via its own SMTP engine, which requires an ESMTP server to send itself successfully. The virus does an MX lookup on the target domain (ie. when sending itself to user@domain.com, it sends though the servers specified in the MX record for domain.com).
Contacting Remote NTP Servers
The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination port 123).
Self-Termination
In common with previous W32/Sobig variants, this variant contains a date triggered self-termination routine. If the date is September 10th 2003 or later, the worm will no longer propagate.
Symptoms
Existence of the WINPPR32.EXE file in %WinDir%
Existence of the Registry hooks detailed above
Unexpected NTP traffic to remote servers
Method Of Infection
This worm propagates via email (contains its own SMTP engine) and attempts to spread via accessible network shares.
Top of Page
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
- Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- WinNT/2K/XP - Terminate the process WINPPR32.EXE
Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
WINPPR32.EXE
WINSTT32.DAT
Edit the registry
Delete the "TrayX" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Aliases
Name
W32.Sobig.F@mm (NAV)
WORM_SOBIG.F (Trend)
© Copyright 2002 Network Associates Technology, Inc. All Rights Reserved
mhensley said:
I deleted Outlook Express from my Windows machine a long time ago. Viruses can't hurt you, unless you download and execute them. Outlook is default set up to execute downloaded attachments! Yes, you can "turn it off", but it's DEFAULT!
So Microsoft is targetted. Always will be, until they decide to make security a consideration. The default settings ofr IE are very insecure, too.
By the Bayou... There is the W32Blaster, AND the SoBig.F Virus running around, right now. Blaster should be about done, but SoBig will be with us through September...
===============================
This detection is for a new variant of W32/Sobig. Note: The worm carries garbage data appended to end of file, so exact filesize and file checksum may vary.
Installation
The worm copies itself onto the victim machine as WINPPR32.EXE into %Windir%, for example:
C:\WINNT\WINPPR32.EXE
A configuration file is also dropped to %Windir%:
C:\WINNT\WINSTT32.DAT
The following Registry keys are added to hook system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc
Mail Propagation
The worm mails itself to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files with the following extensions:
DBX
HLP
MHT
WAB
EML
TXT
HTM
HTML
Outgoing messages are constructed as follows:
From: (may be admin@internet.com but could be virtually any address)
Subjects:
Your details
Thank you!
Re: Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
Body:
See the attached file for details
Please see the attached file for details
The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.
The attachment must be run manually to infect the local system. Additionally, messages sent by the virus contain the following fields
X-MailScanner: Found to be clean
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
The virus sends itself via its own SMTP engine, which requires an ESMTP server to send itself successfully. The virus does an MX lookup on the target domain (ie. when sending itself to user@domain.com, it sends though the servers specified in the MX record for domain.com).
Contacting Remote NTP Servers
The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination port 123).
Self-Termination
In common with previous W32/Sobig variants, this variant contains a date triggered self-termination routine. If the date is September 10th 2003 or later, the worm will no longer propagate.
Symptoms
Existence of the WINPPR32.EXE file in %WinDir%
Existence of the Registry hooks detailed above
Unexpected NTP traffic to remote servers
Method Of Infection
This worm propagates via email (contains its own SMTP engine) and attempts to spread via accessible network shares.
Top of Page
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
- Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- WinNT/2K/XP - Terminate the process WINPPR32.EXE
Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
WINPPR32.EXE
WINSTT32.DAT
Edit the registry
Delete the "TrayX" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Aliases
Name
W32.Sobig.F@mm (NAV)
WORM_SOBIG.F (Trend)
© Copyright 2002 Network Associates Technology, Inc. All Rights Reserved
Similar Threads
