W32.Sobig.F

It is a mass mailing worn that infects hosts computer with innocuously named e-mail attachments such as application.pif and thank_you.pif .When activated, this worm transmitted itself to e-mail addresses discovered on a host of local file types. The end result was massive amounts of Internet traffic. Upon execution, this worm drops a copy of itself in the Windows folder as WINPPR32.EXE. It also drops a non-malicious text file, WINSTT32.DAT, in the Windows folder. 

It is also called as Sobig.F, WORM SOBIG.F, W32/Sobig-F, Win32.Sobig.F, I-Worm.Sobig.f. This infectsWindows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP.
The email it sends, consists of the following:

From: Spoofed address -Address taken from files on the computer but that sender is not real. The worm may also use the address, admin@internet.com, as the sender.


Subject:

• Re: Details
• Re: Approved
• Re: Re: My details
• Re: Thank you!
• Re: That movie
• Re: Wicked screensaver
• Re: Your application
• Thank you!
• Your details

Body:

• See the attached file for details
• Please see the attached file for details.

Attachment:

• your_document.pif
• document_all.pif
• thank_you.pif
• your_details.pif
• details.pif
• document_9446.pif
• application.pif
• wicked_scr.scr
• movie0045.pif

 It has the following features:

• The worm de-activates on September 10, 2003.
• W32.Sobig.F@mm uses a technique known as "email spoofing," by which the worm randomly selects an address it finds on an infected computer. For more information on email spoofing, see the "Technical Details" section below
•  De-activation date applies only to the mass-mailing, network propagation, and email address collection routines. This means that a W32.Sobig.F@mm-infected computer will still attempt to download the updates from the respective list of master servers during the associated trigger period, even after the infection de-activation date.
• The targeted IP addresses became unresponsive or very heavy traffic is observed on the IP Addresses 
• Before carrying out its infection routine, it also checks if Winsock 2.02 is installed in the system. If it is not available, then this worm simply terminates.
• It creates registry entry for auto execution 

            HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run 
                      TrayX = "%Windows%\winppr32.exe /sinc"
           HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
                     TrayX = "%Windows%\winppr32.exe /sinc"

 After creating the threads, this worm gathers target recipients for its mailing routine from files with the following extensions in all fixed drives:

• DBX
• HLP
• MHT
• WAB
• HTML
• HTM
• TXT
• EML

• Each email propagation thread first checks for Internet connection by attempting to resolve the IP-address of the DNS root server, A.ROOT-SERVERS.NET. If it fails, it sleeps for about an hour and tries again. Otherwise, it continues with its email propagation routine. 
•  It propagates by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. Its SMTP engine is equipped to communicate with servers that support the Extended SMTP (ESMTP) protocol, an enhanced version of SMTP that supports authentication to minimize the creation of spammed email messages. 
• It obtains an SMTP server from the domains of the gathered email addresses. This worm performs a DNS query to obtain the IP addresses of the MX (Mail Exchanger) server of the gathered domains.

Posted in: Sobig worm,Technical Support,TechSupp 247,W32.Sobig.F