WORM_SOBIG.F - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_SOBIG.F

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.Sobig.f (Kaspersky), W32/Sobig.f@MM (McAfee), W32.Sobig.F@mm (Symantec), Worm/Sobig.F (Avira), W32/Sobig-F (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This worm propagates by mass-mailing copies of itself using its own Simple Mail Transfer Protocol (SMTP) engine. It collects email addresses from files with the following extensions:

DBX
HLP
MHT
WAB
HTML
HTM
TXT
EML

It sends out email messages with the following details:

Subject: <any of the following:>
Re: Thank you!
Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Your details

Message body: <any of the following:>
See the attached file for details.
Please see the attached file for details.

Attachment: <any of the following:>
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

It may spoof the FROM field using email addresses found on the infected machine so that its email messages appear to originate from one source despite being sent from another. It may also use the email address, admin@internet.com, to spoof the FROM field.

This worm deactivates its propagation routine on September 10, 2003.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Update: Important TrendLabs Advisory

As a precautionary measure against this worm's expected file download, TrendLabs advises all users to be vigilant about a new yet still unnamed threat from WORM_SOBIG.F.

After its release last August 19, this worm is expected to download a file on the following time and day conditions:

Day of the week is Friday or Sunday (GMT)
Hour of the day is between 7 PM (19H) or 10 PM (22H) (GMT)

Note that the time varies on the different time zones since the worm gets the Universal Coordinated Time (UTC time) from a randomly selected NTS (Network Time Server) server.

During the cited trigger conditions, this worm will try to connect to a server and download a file, which TrendLabs expects to be a new variant, an update, or even a destructive component.

TrendLabs researchers have tried simulating this routine by running the worm file on the above specified dates in the hope of getting a complete picture of the new threat. However, no files were actually downloaded at the time of simulation testing.

Please note that our researchers expect that the virus author will make the file available just minutes before the trigger dates and times. Our experts are now in a keen lookout for this.

To avoid possible infection, TrendLabs strongly advises users to do the following:

Download the latest pattern file.
Block port 8998 for all outbound traffic to prevent the malware from contacting the remote servers where it can download the file.
Block ports 995 to 999 for all inbound traffic to prevent any active server from sending the dowload source to the worm.
Download the Trend Micro System Cleaner .

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 19, 2003 2:07:56 AM GMT -0800
Description updated: Aug. 19, 2003 9:08:20 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.