| isolated freak |
Posted
on 23-Aug-03 10:22 AM
WORM_SOBIG.F
Virus type: Worm
Destructive: No
Aliases: Win32.HLLM.Reteras, W32.Sobig.F@mm, W32/Sobig.f@MM, Sobig.F, Win32.Sobig.F, W32/Sobig-F, I-Worm.Sobig.f
Pattern file needed: 620
Scan engine needed: 6.100
Overall risk rating: Medium
Reported infections: Medium
Damage Potential: High
Distribution Potential: High
Description:
This worm propagates by mass-mailing copies of itself using its own Simple Mail Transfer Protocol (SMTP) engine. It collects email addresses from files with the following extensions:
DBX
HLP
MHT
WAB
HTML
HTM
TXT
EML
It sends out email messages with the following details:
Subject:
Re: Thank you!
Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Your details
Message body:
See the attached file for details.
Please see the attached file for details.
Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
It may spoof the FROM field using email addresses found on the infected machine so that its email messages appear to originate from one source but was actually sent from another.
This worm deactivates its propagation routine on September 10, 2003.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Update: Important TrendLabs Advisory
As a precautionary measure against this worm's expected downloading of a file, TrendLabs advises all users to be vigilant about a new yet still unnamed threat from WORM_SOBIG.F.
After its release last August 19, this worm is expected to download a file on the following dates:
Day of the week is Friday or Sunday (GMT)
Hour of the day is between 7 PM (19H) or 10 PM (22H) (GMT)
Note that the time varies on the different time zones since the worm gets the Universal Coordinated Time (UTC time) from a randomly selected NTS (Network Time Server) server.
During the cited trigger dates, the worm will try to connect to a server and download a file which TrendLabs expects to be a new variant, an update or even a destructive component.
To avoid possible infection, TrendLabs strongly advises users to do the following:
Download the latest pattern file.
Block port 8998 for all outbound traffic to prevent the malware from contacting the remote servers where it can download the file.
Download the Trend Micro System Cleaner.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use the Trend Micro System Cleaner.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your system with your Trend Micro antivirus product.
NOTE all files detected as WORM_SOBIG.F.
Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro�s free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
To remove the malware autostart entries:
Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
TrayX = "%Windows%\winppr32.exe /sinc"
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
TrayX = "%Windows%\winppr32.exe /sinc"
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Deleting Dropped File
Right-click Start then click Search& or Find& depending on your version of Windows.
In the Named input box, type:
WINSTT32.DAT
In the Look In drop-down list, select the drive which contains Windows, then press Enter.
Once located, select the file then hit Delete.
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_SOBIG.F. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.
For product specific solutions, please refer to Solution 16031 of Trend Micro's Knowledge Base.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.
For additional information about this threat, see Technical Details.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F#solution
|
