Fast-spreading Sobig.F worm adds to 'Worm Week'

Reuters ^ | August 19, 2003

[Dog Gone]

SAN FRANCISCO - A new mass e-mail worm that attempts to download files from the Internet and potentially leave computers vulnerable to further attack was spreading quickly around the world today, anti-virus experts said.

The new worm, dubbed Sobig.F, is at least the fourth new, major Internet worm to hit computers worldwide in the past week, prompting anti-virus vendor F-Secure to declare this the "worst virus week ever."

Sobig.F, a variant of an older worm, began spreading Monday in Europe and has infected an estimated tens of thousands of Windows-based computers, said Patrick Hinojosa, chief technology officer at Panda Software, based in Madrid.

It arrives in e-mail and includes a variety of subject lines, including "Your details," "Thank you!," "Your application" and "Wicked screensaver." It has caused some corporate e-mail systems to grind to a halt, according to Sophos Inc.

When the .pif or .scr attachment is opened, Sobig.F infects the computer and sends itself on to other victims using a random e-mail address from the address book.

It also prepares the computer to receive orders and tries to download files from the Internet, said Hinojosa. It was unknown exactly what files they were, he said.

If the infected computer is on a shared network, the worm tries to copy itself to the other computers on that network.

The worm is programmed to stop spreading on Sept. 10.

Network Associates Inc. has rated Sobig.F a medium risk because of the quick rate of spread, said Jimmy Kuo, research fellow at Network Associates, an anti-virus software vendor.

Sobig.F was spreading at an "alarming rate," accounting for nearly 80 percent of all infection reports recorded Tuesday, according to anti-virus provider Central Command.

Sobig.F comes on the heels of the Blaster, or LoveSan, worm which hit hundreds of thousands of computers worldwide last week, spreading to victims through a security hole in the Windows operating system and crashing them.

On Monday, another worm surfaced that was written to remove Blaster from infected computers and patch the hole. That worm, dubbed "Welchia" or "Nachi," was temporarily paralyzing many corporate networks, experts reported.

In addition, an e-mail hoax was circulating, purporting to be a patch from Microsoft for the security hole Blaster exploits. But the e-mail instead contains a Trojan application that installs itself on the computer as a back door enabling an attacker remote access to the system.

There has not been so much virus activity since the Code Red and Nimda worms hit about a year ago, experts said.

[Rabid Dog]

I have probably been hit over 50 times today! What a pain in the YOU-KNOW-WHAT!!!

[Dog Gone]

I'm downloading email at home right now, and I am receiving an alert on a particular email which contains it. It's in a message entitled, "Re" Your application". I'm currently debating whether to delete it on the spot, or to look at where it came from.

[Rabid Dog]

Just delete it!

[UB355]

I've gotten 6 on my home e-mail address. Since I have a Mac I don't care.

[Dog Gone]

Done. It turns out I got the email three times from an email from sales@expertsatellite.com

The virus was in each one of them.

[livius]

Get Norton Firewall and you can have hours of fun looking at where various attacks come from. I just discovered that the most recent intrusion attempt (I think it was when Norton detected the trojan) came from Dubai, United Arab Emirates...

[Dog Gone]

Oops. Four times. The last was from johndessauer@investorplace.com with an email title of "Thank you!".

[Rabid Dog]

Expect to get more. I also got a Subject: Thank you variation.

[tall_tex]

I have received all of the tag lines today. I did not open any but deleted them. I use PC cillin 2002 and Windows XP Pro. I got no alerts that they contained a virus my program updates my computer every time that I log on. Anybody else see anything like this?

I did just download all the windows security patches on it plus on my Windows 98 at home during the first alert.

I did a PC cillin 2000 up date just now and had to down load an update for my home pc.

[Keith in Iowa]

It looks like this worm will also propogate from an infected computer by sending itself with random "From" addresses - I got an e-mail from someone saying "stop e-mailing me" - and I have no idea who the heck it is...plus, several copies of the worm were detected by Norton's e-mail scan. I have also scanned my machine - and I'm sure I don't have it, and shouldn't spread it.

[Rabid Dog]

I'm not a real computer person - but I do have Norton's anti-virus program. It has been operating constantly all day and I have deleted at least 60 e-mails.

Some of them are coming from "radio" stations; "schools"; state of TX; etc. Subject lines are details; RE: details; thank you; and some thing from Jim Brown with a subject line that may or may not be legit regarding Symantec virus. (I got it four times with an attachement)

I ruthlessly delete without opening always - unless I know the sender and even then I won't open any attachment unless it makes perfect, unambiguous sense.

[Dog Gone]

I did a Norton antivirus update when I saw this story, and before I posted it. Norton did add files, so I'm assuming that this virus was one of them.

I don't think Windows can protect you from this virus, since the goal is to make you execute the file through normal email tricks.

[Dog Gone]

When W32.Sobig.F@mm is executed, it performs the following actions:

1. Copies itself as %Windir%\winppr32.exe.
   
   NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
   
   
2. Creates the file, %Windir%\winsst32.dat.
   
   
3. Adds the value:
   
   "TrayX"="%Windir%\winppr32.exe /sinc"
   
   to the registry key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so the worm runs when you start Windows.
   
4. Attempts to copy itself to any network shares it has write access to. The worm will utilize standard Windows API's to do this.
   

Sobig.F can download arbitrary files to an infected computer and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers.

This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.F attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it.

In Sobig.F, the conditions for this download attempt are:

• According to UTC time, the day of the week must be Monday or Friday.
• According to UTC time, the time of day must be between 7:00 P.M. and 11:59:59 P.M.

Sobig.F obtains the UTC time through the NTP protocol, by contacting one of several possible servers on port 123/udp (the NTP port).

The worm starts the download attempt by sending a probe to port 8998/udp of the master server. Then, the server replies with a URL, where the worm can download the file to execute.

Sobig.F also opens the following ports:

• 995/udp
• 996/udp
• 997/udp
• 998/udp
• 999/udp

and it listens for any incoming UDP datagrams on these ports. Incoming datagrams are parsed, and upon receiving a datagram with the proper signature, the master server list of the worm may be updated.

Network administrators should do the following:

• Block inbound traffic on ports 99x/udp.
• Block outbound traffic on port 8998/udp.
• Monitor NTP requests (port 123/udp), as these could be coming from infected computers. (The frequency of such checks for an infected computer should be once per hour.)

[proust]

Listen up newbies: the email addresses you're posting here are probably NOT the addresses that are sending the virus.

The virus grabs random email addresses and fills them into the "from" heading when it's sent out.

How do I know this? Because I keep getting "mail undeliverable" returns even though I don't have, and am not sending out, the virus. It's using my email addy, but there isn't a thing I can do about it.

Stop posting people's email addresses!

[Timesink]

The worm is programmed to stop spreading on Sept. 10.

And start doing something else rather interesting on a certain high-profile anniversary the next day...?

[Dog Gone]

Chill. Nobody said those email addresses were the source. But anyone getting an email from one of those sources should delete it. Even from yours.

[arasina]

There should be a special (living) hell for the people who create a virus or worm, doncha think? The person who did this one thinks they're so creative and cute and funny, calling it SO BIG F.

Since I use Outlook Express for my email, I set it to the preview pane and immediately delete all junkmail and stupidity as well as any email that's from someone I don't know.

Will someone tell me WHY people like to send chain letters---send this to 10 friends or you will not get your wish---and "cute" little fluffy angels and teddy bears and twenty-times-forwarded boopie doos with all the headers and <<<<??? Do MEN get this kind of garbage or is it strictly a female thing?

[proust]

Chill. Nobody said those email addresses were the source. But anyone getting an email from one of those sources should delete it. Even from yours.

You really don't seem to understand the scope of this problem. I've gotten the email at least 15 times today. It's obvious that hundreds of addresses are currently being spoofed. It doesn't do anybody any good to post some poor guy's address here. Posting addresses to avoid emails from isn't a practical solution.

But anyone getting an email from one of those sources should delete it. Even from yours.

And it's not the source of the email, it's the subject heading and size of email that gives the virus away. The source in the "from" box has nothing to do with it.

[Dog Gone]

Men get it, too. I have an old email address from a previous provider that is being forwarded to my new email address, and it's 100% responsible for the spam. I get crap designed for women exclusively, as well as the normal male sexual prowess garbage.

The only reason I don't disconnect the old address is because it's easy to identify and eliminate garbage which I get when I have to use my email address on an internet page.

The new email address has never been input on a website asking for my address, so it makes it very easy to take out the junkmail.