W32/Sobig-F

W32/Sobig-F

Aliases :
I-Worm.Sobig.f, W32/Sobig.F-mm

Type :
Win32 worm

Description
W32/Sobig-F is a worm that spreads via email and network shares.

W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder>\winppr32.exe /sinc

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder<\winppr32.exe /sinc

The worm sends itself as an attachment to email addresses collected from various files on the victim's computer.


Read more:
http://www.sophos.com/virusinfo/analyses/w32sobigf.html

 

TrendLabs received numerous infection reports of a new malware spreading
in Norway and Spain. This malware is detected as WORM_SOBIG.F. As of 5:11 AM US Pacific Time, Trend has declared a Yellow Alert to control the spread of this malware.

This worm is designed to propagate via e-mail using its own Simple Mail Transfer Protocol (SMTP) engine.

Read more:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F

 

http://www.nukecops.com/article-518-nested-0-0.html

I myself received several hundred of these in a matter of hours today. Needless to say I have the listed email addresses DNSBL.

 

SOBIG-F DISINFECTION TOOL AVAILABLE FROM SOPHOS


Sophos researchers have developed a standalone tool
which detects and disinfects the commonly encountered
W32/Sobig-F worm.

Sophos originally issued protection against the
W32/Sobig-F worm at 10:37 GMT on Tuesday 19 August.
This utility provides a simple way for businesses
and home users to confirm their networks are clean
and disinfect any infected files that are found.

You can download the disinfection tool and documentation
from Sophos's website at:

Note by FanJ: a direct download link follows now:

http://www.sophos.com/misc/sobigsfx.exe


You can read more about the Sobig-F worm on
Sophos's website at the following urls:

http://www.sophos.com/virusinfo/articles/sobigf.html
http://www.sophos.com/virusinfo/analyses/w32sobigf.html

 

FYI...spreading "faster than the speed of thought":

- Postini blocks over 1.8 million instances of Sobig.F in One Day ...
http://www.postini.com/press/pr/pr082003b.html
August 20, 2003
"140,000 Percent Increase over Previous Day's Activity
- Postini...quarantined 1,881,689 instances of the Sobig.F email virus for its customers yesterday and expects to block more than 3 million instances today. The Sobig.F has quickly become one of the most virulent email strains ever seen..."

-EDIT/ADD:
FYI...from the Internet Storm Center:

...Sobig F...
http://isc.sans.org/diary.html?date=2003-08-20
"...Despite the best efforts of system admins world wide, users are still clicking on e-mail attachments. We strongly recommend attachment stripping on mail gateways. Please note, that the 'From' address is spoofed. Do not send auto replies to senders, as this will just worsen the email flood caused by Sobig F. As other Sobig variants, this one includes the ability to update the worm remotely, backdoors and a full set of other evilness..."

 

The Race to beat Sobig
August 22, 2003, 9:02 AM PT
http://news.com.com/2100-1002-5067078.html?tag=sas_email
"Computer security experts raced to beat the clock Friday as the super-potent Sobig.F e-mail virus threatened to unleash a crippling barrage of data across the Internet...Security experts discovered only late on Thursday that the Sobig.F virus...was harboring a sinister secret. Hidden within the virus is an instruction to the infected machines to make contact at 12 p.m. PDT with the 20 computers, which host an unidentified program...The time trigger is set to be activated again at the same time on Sunday, Aug. 24. The search for the owners of the 20 machines--to get them to disconnect before the deadline--has had some success. 'We've taken more than half offline,' said Mikko Hypponen, antivirus research manager at Finland's F-Secure. 'But if one is left standing, there will be an attack.'..."

 

Per monitor of F-Secure:
http://www.f-secure.com/v-descs/sobig_f.shtml
"...Update on 22:00 UTC
- The official attack time on Friday has ended. All 20 machines were inaccessible throughout the attack.
- Now we are investigating random UDP traffic that has been seen in the net, possibly relating to the worm..."

 

E-mail worm on a rampage
http://www.bayarea.com/mld/mercurynews/news/6592028.htm?template=contentModules/printstory.jsp
Aug. 22, 2003
"...Postini blocked 3.5 million infected e-mails from reaching the mail servers of its 1,500 customers Wednesday, up from 1.8 million Tuesday, and was on track to block about 5 million Thursday. A normal daily average is about 400,000..."

SoBig F to try again Sunday
http://www.vnunet.com/News/1143169
"...Paul Wood, chief information analyst at email security specialists MessageLabs, said: "We've blocked well over two million infections in the past 48 hours, and this is likely to hit three million by the end of the week and more over the weekend. 'The fact that antivirus vendors didn't have signatures available for 12 hours after the first sighting means it had a real headstart.' This is the sixth variant on the SoBig worm, which first surfaced in January of this year..."

Don't lose your head in security madness
http://www.vnunet.com/Print/1143112
"...Selling security is far from easy. You need to really understand the nature of the threat and the cost to the business, as well as design a solution that protects the end-user from today's and tomorrow's security risks. It takes years to do this well..."

 

FYI...

Worm...hitting hard
http://news.com.com/2100-1002-5066875.html?tag=nl
"...America Online said it scanned 40 million e-mail attachments on Wednesday--about four times the average daily volume--and found more than 23 million copies of the Sobig.F virus..."
->>> MSBlast and its variants, and the Sobig.F virus, have disrupted several companies, including those responsible for critical parts of the United States' infrastructure.
- Defense contractor Lockheed Martin had less than 1 percent of its systems infected, but still had disruptions.
- The Massachusetts Institute of Technology found its e-mail servers congested from the amount of messages created.
- Railway and freight hauler CSX had to stop trains because of the Nachi worm, the Associated Press reported.
- Airline Air Canada canceled flights on Tuesday because its network couldn't deal with the amount of traffic generated by the Nachi worm.
- The Pentagon and military had myriad infections of the Sobig.F virus and the Nachi worm, various news agencies reported..."

 

Saturday, August 23, 2003
'Sobig' virus traced to Canadian computer

http://canada.com/national/story.asp?id=F5CD01CE-D66F-4DDD-AA65-DEB7F30F45C3

"Meanwhile, the FBI yesterday served a grand jury subpoena on Easynews.com, a Phoenix-based Internet service provider whose network may have been used to disseminate Sobig. The virus is believed to have been released onto Usenet, a kind of Internet bulletin board, by someone with an account at the service provider, according to Michael Minor, the company's co-owner. A stolen credit card number was used to create the account minutes before the virus was unleashed on Monday, Minor said. His company is co-operating with the FBI, he added.

A computer in British Columbia was apparently used to create the account. Experts said the computer belongs to an innocent home user who was hit by a previous version of the virus that allowed the clandestine programmer to seize control of the computer. That makes catching the writer of the virus more difficult, experts said."

Regards,

CrazyM

 

But then, I saw this story yesterday:

War of the Worms
Sunday August 24, 2003
http://observer.guardian.co.uk/focus/story/0,6903,1028370,00.html
"The hunt is on. Teams of FBI experts are poring through computer databases in the United States...He is a virus writer...It was called SoBig F, and it lived up to its name...by the end of the week one in 15 emails across the entire world was coming from the virus...
- FBI and anti-virus computer sources confirmed that the author was an American and almost certainly a man. They have also determined that his virus shares some of the characteristics popular with spammers. As most spammers live in Florida, that could place the virus writer...perhaps near the town of Boca Raton, the unofficial spam capital of the world..."

Hmmm, who knows? Doesn't sound like the FBI does, yet.

 

If you've noticed your firewall log bulge lately, this is probably why:
- FYI...update from the Internet Storm Center:

Sobig-F and Nachia update
August 26th 2003
http://isc.sans.org/diary.html?date=2003-08-26
"...
- Sobig-F
Sobig-F went through two update cycles...Most updates servers were taken down, and the remaining server handed out a benign payload...Administrators of mail servers are asked not to bounce infected messages. Sobig will fake the "From" header and notification messages will flood innocent users...
- Nachia
Nachia continues to flood networks with ICMP messages and port 135 scans. Based on our measurements, the number of hosts infected by Nachia and MSBlaster is not decreasing...at around 150,000. Network administrators are strongly advised to track down infected machines..."

 

...Sobig is bad for privacy and AV vendors
http://www.theregister.com/content/56/32510.html
Aug 27 2003
"...The speed at which viruses take hold is outpacing the capacity of AV firms to develop fixes for users to deploy them. The critical path has gone critical...In defending against the worm, the Internet community may have to move towards a new defensive posture. More of the same just won't do...AV vendors have mined a rich seam of free publicity on the back of Sobig and Blaster. They say you must deploy and update AV tools to protect yourselves against the worm. Enterprises should consider blocking executables at the gateway, they add. It's a familiar theme and it's wearing thin...Symantec, McAfee, Sophos and the rest would do well to look over their shoulder. Behaviour blocking technology - which is able to stop malicious code executing on the desktop - could supplant AV tools as the first line of defence against viral code..."