StarGate
25-08-03, 12:28 PM
Description
W32/Sobig-F is a worm that spreads via email.
W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder>\winppr32.exe /sinc
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder<\winppr32.exe /sinc
The worm sends itself, using its own SMTP engine, as an attachment to email addresses collected from various files on the victim's computer. When it distributes itself via email it forges the sender's email address, making it difficult to know who is truly infected.
The email has the following format:
Subject line: Chosen from -
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!
Message text: Chosen from -
Please see the attached file for details.
See the attached file for details
Attached file: Chosen from -
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif
W32/Sobig-F also attempts to spread by copying itself to Windows network shares.
Important information
W32/Sobig-F uses the Network Time Protocol (NTP) to access one of several servers in order to determine the current date and time.
If the time returned by the NTP server is between 19:00 and 22:00 UTC+0 which is 8pm-11pm UK time) on Friday or Sunday, W32/Sobig-F sends a UDP packet to port 8998 of a remote server. This feature could be used to download and run a Trojan or additional worm components.
To prevent malicious code from being downloaded by W32/Sobig-F, Sophos strongly recommends that customers consider configuring company firewalls so outgoing connection attempts to UDP port 8998 are blocked.
Customer should consult their firewall documentation, or contact their firewall provider for assistance in implementing this configuration change.
Kat M'sia ni ramai gak yg kena jangkit dgn virus ni.
:kontrol:
W32/Sobig-F is a worm that spreads via email.
W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder>\winppr32.exe /sinc
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder<\winppr32.exe /sinc
The worm sends itself, using its own SMTP engine, as an attachment to email addresses collected from various files on the victim's computer. When it distributes itself via email it forges the sender's email address, making it difficult to know who is truly infected.
The email has the following format:
Subject line: Chosen from -
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!
Message text: Chosen from -
Please see the attached file for details.
See the attached file for details
Attached file: Chosen from -
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif
W32/Sobig-F also attempts to spread by copying itself to Windows network shares.
Important information
W32/Sobig-F uses the Network Time Protocol (NTP) to access one of several servers in order to determine the current date and time.
If the time returned by the NTP server is between 19:00 and 22:00 UTC+0 which is 8pm-11pm UK time) on Friday or Sunday, W32/Sobig-F sends a UDP packet to port 8998 of a remote server. This feature could be used to download and run a Trojan or additional worm components.
To prevent malicious code from being downloaded by W32/Sobig-F, Sophos strongly recommends that customers consider configuring company firewalls so outgoing connection attempts to UDP port 8998 are blocked.
Customer should consult their firewall documentation, or contact their firewall provider for assistance in implementing this configuration change.
Kat M'sia ni ramai gak yg kena jangkit dgn virus ni.
:kontrol: