How it works
Sobig.f arrives as an e-mail with the following characteristics:

The From and To addresses are collected from infected PCs, from files ending with the extensions .dbx, .eml, .htm, .html, .txt, and .wab.

The Sobig.f subject line reads:

• Re: Details
  
• Re: Approved
  
• Re: Re: My details
  
• Re: Thank you!
  
• Re: That movie
  
• Re: Wicked screensaver
  
• Re: Your application
  
• Thank you!
  
• Your details
  

Its body text reads:

• See the attached file for details
  
• Please see the attached file for details.
  

The file attached to Sobig.f is:

• application.pif
  
• details.pif
  
• document_9446.pif
  
• document_all.pif
  
• movie0045.pif
  
• thank_you.pif
  
• your_details.pif
  
• your_document.pif
  
• wicked_scr.scr
  

When executed, the worm will add the following to the system registry:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc

Prevention
In general, do not open e-mail attachments without first saving them to hard disk and scanning them with updated antivirus software. If you do not have automatic antivirus signature file updates, contact your antivirus vendor to obtain the most-current antivirus signature files that include Sobig.f.

Removal
Most antivirus-software companies have updated their signature files to include this worm. The updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Panda, Sophos, Symantec, and Trend Micro.