Win32:Sobig-F
is another worm belonging to the infamous Win32:Sobig family. It's spreading is time limited again - in this case it stops to spread on September 10th 2003.It is able to spread via email and network shares.
When executed, the worm drops itself in the %WINDOWS% folder under the name winppr32.exe
and adds the following keys to the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX = %WINDOWS%\winppr32.exe /sinc
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX = %WINDOWS%\winppr32.exe /sinc
Note: %WINDOWS% is a folder where the Windows system is installed. It's usually C:\Windows on Windows 95, 98, ME or XP, or C:\WinNT on Windows NT or 2000. Those folder names are default, but user can decide for any other name at Windows system installation.
The worm spreads through two channels - e-mail and shared folders. It contains its own SMTP engine for e-mail propagation.
Infected mails have one of the "Subject:" fields:
Re: Approved
Re: Re: My details
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Details
Your details
Thank you!
In the mail body there is one of the two sentences:
See the attached file for details
Please see the attached file for details
Attachment can have on of those names:
application.pif
details.pif
document_9446.pif
document_all.pif
movie0045.pif
thank_you.pif
your_details.pif
your_document.pif
wicked_scr.scr
The worm spoofs "From:" address - it might be anything. The "From:" address visible in the infected mail usually hasn't any connection to the infected mail source. The worm searches for mail address for spreading in the files with extensions DBX, EML, HTM, HTML, TXT and WAB.
The worm searches for the folders
\Documents and Settings\All Users\Start Menu\Programs\Startup
\Windows\All Users\Start Menu\Programs\Startup
on network shares and tries to copy itself to them.
Removal:
To remove this virus please use our free avast! Virus Cleaner.
avast! with VPS file dated on or after 19th August 2003 is able to detect this worm.
