By Robert Vamosi
This worm tries to disguise itself from antivirus apps
Yet another member of the Sobig virus family is loose. Sobig.f (w32.sobig.f@mm) spreads via e-mail and shared network files and could slow e-mail servers with excessive traffic, so it rates a 7 on the CNET Virus Meter. This worm affects only Windows computers, not Mac, Linux, or Unix systems. Like its siblings, Sobig.f has a built-in termination date, September 10, 2003, and can attempt to retrieve, download, and finally execute a Trojan to steal credit card numbers and other personal account information. But Sobig.f differs in that it appends garbage characters to the end of the infected file, making it harder for antivirus products to recognize Sobig.f.
How it works
Sobig.f arrives as an e-mail with the following characteristics:
The From and To addresses are collected from infected PCs, from files ending with the extensions .dbx, .eml, .htm, .html, .txt, and .wab.
The Sobig.f subject line reads:
- Re: Details
- Re: Approved
- Re: Re: My details
- Re: Thank you!
- Re: That movie
- Re: Wicked screensaver
- Re: Your application
- Thank you!
- Your details
Its body text reads:
- See the attached file for details
- Please see the attached file for details.
The file attached to Sobig.f is:
When executed, the worm will add the following to the system registry:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
In general, do not open e-mail attachments without first saving them to hard disk and scanning them with updated antivirus software. If you do not have automatic antivirus signature file updates, contact your antivirus vendor to obtain the most-current antivirus signature files that include Sobig.f.
Most antivirus-software companies have updated their signature files to include this worm. The updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Panda, Sophos, Symantec, and Trend Micro.