W32/Sobig-F is a worm that spreads via email.
W32/Sobig-F copies itself to the Windows folder as winppr32.exe
and sets one of the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder>\winppr32.exe /sinc
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder<\winppr32.exe /sinc
The worm sends itself, using its own SMTP engine, as an
attachment to email addresses collected from various files on the
victim's computer. When it distributes itself via email it forges
the sender's email address, making it difficult to know who is truly
infected.
The email has the following format:
Subject line: Chosen from -
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!
Message text: Chosen from -
Please see the attached file for details.
See the attached file for details
Attached file: Chosen from -
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif
W32/Sobig-F also attempts to spread by copying itself to Windows
network shares.
Important information
W32/Sobig-F uses the Network Time Protocol (NTP) to access one
of several servers in order to determine the current date and
time.
If the time returned by the NTP server is between 19:00 and
22:00 UTC+0 which is 8pm-11pm UK time) on Friday or Sunday, W32/Sobig-F
sends a UDP packet to port 8998 of a remote server. This feature
could be used to download and run a Trojan or additional worm
components.
To prevent malicious code from being downloaded by W32/Sobig-F,
Sophos strongly recommends that customers consider configuring
company firewalls so outgoing connection attempts to UDP port 8998
are blocked.
Customer should consult their firewall documentation, or
contact their firewall provider for assistance in implementing
this configuration change.
If the date is 10 September 2003 or later the worm stops working.
