This worm affects only Windows computers, not Mac, Linux, or Unix systems. Like its siblings, Sobig.F has a built-in termination date, 10 September, 2003, and can attempt to retrieve, download, and finally execute a Trojan to steal credit card numbers and other personal account information. But Sobig.F differs in that it appends garbage characters to the end of the infected file, making it harder for antivirus products to recognise Sobig.F.
How it works
Sobig.F arrives as an email with the following characteristics:
The From and To addresses are collected from infected PCs, from files ending with the extensions .dbx, .eml, .htm, .html, .txt, and .wab.
The Sobig.F subject line reads:
- Re: Details
- Re: Approved
- Re: Re: My details
- Re: Thank you!
- Re: That movie
- Re: Wicked screensaver
- Re: Your application
- Thank you!
- Your details
Its body text reads:
- See the attached file for details
- Please see the attached file for details.
- application.pif
- details.pif
- document_9446.pif
- document_all.pif
- movie0045.pif
- thank_you.pif
- your_details.pif
- your_document.pif
- wicked_scr.scr
When executed, the worm will add the following to the system registry:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
Prevention
In general, do not open email attachments without first saving them to hard disk and scanning them with updated antivirus software. If you do not have automatic antivirus signature file updates, contact your antivirus vendor to obtain the most-current antivirus signature files that include Sobig.F.
Removal Most antivirus-software companies have updated their signature files to include this worm. The updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Panda, Sophos, Symantec, and Trend Micro.
Talkback
We Silver Surfers haven't a clue what you are talking about! We rely on Norton Antivirus at $38.00 a year (real money £25!!) and hope they are on the ball! Whilst we are talking to the industry it would be great if the whole of the computer industry had a translation service from geek talk. When we submit a query to AOL helpline, and this probably applies to others, the answer might as well be in Chinese (probably better if it was, as we worked there for two years!!)
I still get emails from postmaster like everytime I check my email at yahoo saying that a message containing a virus was intercepted. I am kinda of paranoid that this worm is sending emails to emails in my address book.
is there a way to stop these emails from coming to my inbox??
I have a new computer with windows xp, today I was sent around 40 e-mails with th`re-details` and `wicked screensaver` . I didn't attempt to see any `attatchments` I just opened a few e-mails until I cottoned on.
Does that mean I have still been infected?
I don't have any anti-virus programs.
I found over 140 e-mails from Sobig in my in-tray this morning. Is there a patch available to deter the virus?
We were completely unaffected byt the Sobig virus.
However, the rapid spread of this virus should be a wakup call to the Internet community. It doesn't take a rocket scientist to prepare for such an outbreak. Keep your virus definitions and patches up-to-date.
Our company was completely unaffected by the Sobig strain of viruses. We use Merak Mail Server ( http://www.MerakMailServer.com ) which has an integrated Antivirus that is capable of scanning 2000+ messages per second.
In addition, it has what is called an "Active Update" service which ensures that our virus definitions are always up-to-the-minute, up-to-date by queueing our server to download the latest virus definitions the minute it a new definition is released.
Contrary to your report, my Mac is infected with this virus. I received 85 messages in less than an hour and several more from other servers asking me to stop sending spam!
Yes, get Norton Anti-Virus and make sure you have all of the updates. Also use Aol as your Service Provider they have built in email anti-virus protection.
Sounds like you work for them. Or are you on commission?
My computers also haven't being attacked by a virus. But I don't need any virus software to protect it. Just a proper operating system that doesn't allow them in the first place.
I'd just stay away from all attachements, and delete unnnecessary emails til this is over.
as long as u realise that aol technical support is pretty useless, and they only work from set scripts then you might feel a little happier............. yes i too use aol :-( though i have to admit i am pretty clued up about pcs)
if you have an attachement in an email from someone you dont know, delete it!
if its from someone you know, email them and ask if they sent it.
stevan
I have a mac system and I opened this Re:thank you email. it was adressed from a friend!! Ever since my mail box has been full of undeliverable message errors. Everything I have read says it shouldn't effect my system, but there is something weird going on!
hi i have had this for a few day xp has an anti virus progrom on one of thier disks norman anti virus load it onto your system and bingo bye bye virus
I am working with Linux but I have an email account at www.web.de. Apparently, SoBig.F manages to send mails in my name although I never opened any attachment., and it is Linux anyway. My email is boris.hennig(a)web.de; I am getting enough sopam so I didn't want to give the real one in the form :-)
Was Sent Email to today. with RE Thankyou but did not open attachment or it did not have one . is it a hoax. Is computer safe I deleted staright away also have norton security but still worried.
having been on the internet for 6 years now and not being and adherent of anti-virus software, (i don't use the stuff) here are a few tips that might help home users.
use a firewall. preferably one that utilizes stateful packet filtering techniques.
uninstall windows visual basic scripting host.
check the file attributes for wsock and winsock files in windows directory/s and uncheck the archive box and check the read-only box instead. these files to not have to be written to for the socket to operate properly.
empty your address books and keep your email addresses in a text file. use copy and paste from the text file to your email client.
stay apprised of current "threats" and familiarize yourself with pertinent details such as subject lines, file sizes and other information involving current worms, trojans and viruses.
don't open email from people you don't know.
treat it the same way you would if it arrived in your snail-mail box. return to sender or delete. definitely do not open attachments forwarded from unknown senders.
use web based email that provides anti-virus filtering for both inbound and outbound messages.
learn how to create filters and use them in your email client.
when using isp-based email, truncate your incoming email to say 2kb. that way you can "look it over" and inspect the headers before downloading the entire contents from your server.
knowledge only constitutes power when it is put into practical application.
If you're on a Mac, you cannot be infected. But if you read the report, you'll see that the virus fakes the sender address when sending out emails. So if a friend of yours has an infected machine, and you're in their address book, you could be the recipient of the bounces and complaints. This is unfortunate, but does NOT mean that your machine is infected.
My suggestion as an IT Manager is to configure your Mail Server or email client to remove all attachments that can contain executable instructions, i.e. .EXE .SCR .VBS .COM .BAT .PIF etc
If you virus scan all the attachments you recieve you should be okay, as long as you keep the definitions up-to-date!
I have received hundreds of emails this morning (obviously without attachments) and I can see that this is a huge worm!
If you don't know yet that your pc is infected and say your anti virus software hasn't picked it up, are there any commands that you can run that will show it is present??
this sobig virus poses a worldwide threat to every one, does it affect aircraft as well
Avoid Norton AV, McAfee, and F-Protect. They all let in virus's even though they were fully updated. Norton let in and refused to recognize the SDbot trojan virus, causing me to lose around 3 gig of data overnight. F-protect let in and refused to recognise the w32 virus allowing me to spread it to friends and family and McAfee let in another trojan (can't remember the name). So far Sophos AV hasn't let me down.
I have stopped the postmasters by setting up the email filter to delete emails containing the words used by this virus.
Macs' were affected to by this worm. But I can't seem to find a solution for this.
So easy to prevent all these viruses go to www.grisoft.com and get free anti virus software with regular free updates Sorry folks its you own fault !
I have yahoo mail and have been getting slammed w/ SoBig since yesterday september 4th. Some of the emails have my addy listed as sender and receiver! I have scanned w/ eanthology and microtrend and my system shows clean for now
Ldovey
i use a web based e-mail account and that has been overrun with returned e-mail messages all with the sobig attatched files.
i traced the original connection to where they came from and it was someone using a static ip address (adsl/broadband/cable) i contacted the isp responsible for maintaining this connection several times but with no response ,until i started returning the disabled virused e-mail to them ,then i got a email saying they would contact the person responsible .and sort it but they havent yet
KEV - TECHIE ,I HAVE JUST GOT NEW COMPUTER WITH WINDOWS OFFICE XP 2000. SUBSCRIBED TO BROADBAND AOL. THE POP - US SHOCKED ME AND NOW IM REALLY WORRIED ABOUT VIRUSES . CANT REALLY AFFORD TO SPEND ANY MORE MONEY AND WAS INTERESTED TO READ THAT YOU DONT NEED ANY VIRUS SOFTWARE PROTECTION JUST 'A PROPER OPERATING SYSTEM.' HOW DOES THIS WORK ? IN EASY TERMS HOW DO I SET THIS UP ON MY COMPUTER ? ANY HELP APPRECIATED
i had norton virus & utilitys they are just quick fixes get rid & get zone alarm & use big fix no problems on the net then best thing i did (be safe peeps)
After being virused earlier this year by the Sobig.f virus, and noticing bouncebacks in my email. my Norton couldn't detect it, and the easiest way to get rid of a virus is to format your hard disk drive., but then you lose all your data if you didn't have it backed up.