Posted by Freedom Rider from dialup-67.73.32.11.Dial1.LosAngeles1.Level3.net (67.73.32.11) on Tuesday, August 26, 2003 at 10:49PM :
What Is the Sobig.F Virus and How Can I Prevent or Remove It?
Overview
If you are not running anti-virus software or do not have the most current virus definitions for your anti-virus software, you may possibly have a virus on your system and are not aware of it.
Characteristics of the Virus
How Can I Tell if I Am Infected?
Removal of the Virus
Prevention of the Virus
Click the links above for detailed instructions.
NOTE: For up-to-date information on the latest virus threats, virus descriptions, hoaxes, and virus removal tools, go to one of the following Web sites: McAfee® — http://www.mcafee.com/anti-virus/
Norton AntiVirus® — http://www.sarc.com
Additional Information
--------------------------------------------------------------------------------
Characteristics of the Virus
This virus is commonly distributed through e-mail with the following characteristics:
From: admin@internet.com or a random e-mail address found on the infected system.
Subject line of e-mail:
Re: Details
Your details
Re: Approved
Re: Re: My details
Re: Thank you!
Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Message body:
Please see the attached file for details
See the attached file for details
File attachment name:
your_document.pif
document_all.pif
thank_you.pif
details.pif
your_details.pif
document_9446.pif
application.pif
movie0045.pif
wicked_scr.scr
Return to Overview
--------------------------------------------------------------------------------
How Can I Tell if I Am Infected?
NOTE: %windir% is the default Windows folder, such as: C:\Windows (Windows XP/Me/98/95) or C:\Winnt\ (Windows NT or 2000).
The virus creates the following files in the Windows folder:
winppr32.exe
winstt32.dat
This worm virus adds the following entries in the Windows registry so it can load at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX"=%Windir%\winppr32.exe /sinc
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX"=%Windir%\winppr32.exe /sinc
The following ports are opened by the virus to receive backdoor commands:
995
996
997
998
999
Return to Overview
--------------------------------------------------------------------------------
Removal of the Virus
Download Virus-Cleaning Tool
Free stand-alone virus/worm removal programs are available from Symantec and McAfee.
Click one of the links listed below and save it to your Windows Desktop:
McAfee:
http://download.nai.com/products/mcafee-avert/stinger.exe
Symantec:
http://securityresponse.symantec.com/avcenter/FixSbigF.exe
Disconnect from the Internet and Network
If you have a full time Internet connection (Cable modem/DSL) or more than one computer and they are networked together, complete the following steps:
Shutdown your computer
While the system is shut down, disconnect any network cable (such as local network, cable modem, DSL, broadband) from the back of the system.
Turn on your computer.
If using a dial-up (i.e., modem) connection, do not connect to the Internet.
Disable System Restore
Before removing the virus, System Restore must be turned off.
Click the Start button, right-click My Computer, and then left-click Properties from the menu.
The System Properties window appears.
Click the System Restore tab.
Click to check Turn Off System Restore.
Click the OK button.
A System Restore window appears.
Click Yes to disable System Restore.
NOTE: After you have removed the virus, repeat these steps to re-enable System Restore. Having this feature enabled allows the system to return to a previous state with little effort.
Run Virus-Cleaning Tool
Find the downloaded file named either:
stinger.exe or FixSbigF.exe
Double-click the file to begin the removal of the virus.
Restart computer after virus is removed by tool.
Re-enable System Restore
Update your virus scan software definition files.
Return to Overview
--------------------------------------------------------------------------------
Prevention of the Virus
Keeping your operating system and applications up-to-date with the latest anti-virus definitions and operating system security patches can protect your system from many attacks and can also help stop the propagation of certain worms and security threats.
Perform the steps in the following sections to help prevent infection:
Update your anti-virus program regularly and configure it for automatic updates if available.
If your subscription has expired please contact either Symantec or McAfee to update your subscription.
Keep a current anti-virus program installed and protection enabled at all times.
If you are no longer using the anti-virus software provided by Dell, you should ensure that your system has anti-virus software installed.
Do not open any files received by e-mail or chat with the following names:
document_all.pif
thank_you.pif
details.pif
your_details.pif
document_9446.pif
application.pif
movie0045.pif
wicked_scr.scr
Use Windows Update to install any security updates available.
To install security updates, click the link below and install the security updates listed under Critical Updates.
http://windowsupdate.microsoft.com
Disable the Preview Pane in Outlook or Outlook Express from the View menu.
Do not open unexpected files received by e-mail or chat.
Password protect shared network drives if you have networked computers. The virus will try to create copies of itself on network drives every 30 minutes.
Disconnect infected computers from a local area network (LAN) to avoid infecting your other computers.
To prevent future Internet-based attacks, refer to Dell Knowledge Base Article:
HO1083341 — "How Can I Secure and Protect my Dell™ Computer from Internet Attacks?"
Return to Overview
--------------------------------------------------------------------------------
Additional Information
For the latest information on the Sobig.f worm virus, click the link for your specific anti-virus software below:
McAfee — http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&hcName=sobig
Norton AntiVirus — http://www.sarc.com/avcenter/venc/data/w32.sobig.f@mm.html
For up-to-date information on the latest virus threats, virus descriptions, hoaxes, and virus removal tools, click the link for your specific anti-virus software below:
McAfee — http://www.mcafee.com/anti-virus/
Norton AntiVirus — http://www.sarc.com
Support Options
For help renewing your anti-virus subscription or removing a virus, refer to the following Dell Knowledge Base Articles:
RA1056219 — "How do I contact McAfee?"
FA1074668 — "How do I Contact McAfee for Dell SecurityCenter Support?"
FA1049455 — "How do I contact Symantec for questions concerning my Norton AntiVirus software?"
For more troubleshooting assistance, click one of the support options below.
Dell Community Forum
Get answers from Dell customers helping each other.
E-mail Dell
Communicate by e-mail with a Dell Representative.
Return to Overview
--------------------------------------------------------------------------------
Keywords for this Document:
I-Worm.Sobig.f | infected | sobig.f | virus | W32/Sobig.F-mm | W32/Sobig.f@MM | winppr32.exe | winstt32.dat | Worm | WORM_SOBIG.F |
Details
Hot Topic
Document Number:
HO1084180
Release Date:
8/22/2003
Optimize for Printing
E-Mail This Link
Feedback
This document...
helps resolve my question or problem.
does not apply to my question or problem.
is inaccurate for my question or problem.
©2000 Dell Computer Corporation. All rights reserved.
DISCLAIMER
The information in this document has been reviewed and is believed to be accurate. However, neither Dell Computer Corporation nor its affiliates assume any responsibility for inaccuracies, errors, or omissions that may be contained herein. In no event will Dell Computer Corporation or its affiliates be liable for direct, indirect, special, incidental, or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.
Dell Computer Corporation reserves the right to make improvements or changes to this document and the products and services described at any time, without notice or obligation. This information applies to the continental United States and Canada only, unless specifically stated otherwise.
TRADEMARKS: Dell is a registered trademark of Dell Computer Corporation. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Computer Corporation disclaims any proprietary interest in the marks and names of others.
Dell.comAbout DellContactSearchSupportOrder Status
Technical Support PolicyTell Us What You ThinkSupport Webmaster
Copyright 1999-2003 Dell Computer Corporation. For customers of the 50 United States only.
Site Terms of Use : Terms and Conditions of Sale : Dell's Privacy
-- Freedom Rider
-- signature .