Sobig.F, W32.Sobig.F@mm virus

Keyword links

Business
Buy leads
Contacts
Company profiles
Find supplier
Importers
Link partners
Made in EU
Made in USA
Portals
Product news
Tradefairs
What's new

Countries
Africa
Americas
Asia
Europe
Other

Computer
Computer
Downloads
Flightsimulator
Games
Memory
Monitors
Motherboards
Notebooks
Pda
Printers
Processors
Scanners
Security
Software
Toner

Finance
Commodities
Day trading
Debt
Ecommerce
Insurance
Loans
Mortgage
Offshore bank
Venture capital

Hotelguide
Amsterdam
Antwerp
Athens
Barcelona
Berlin
Bern
Budapest
Copenhagen
Frankfurt
Helsinki
Istanbul
London
Los Angeles
Madrid
Miami
Milan
Monaco
Nice
Rome
San Diego
San Francisco
More...

Travel
Airlines
Airports
Cruises
Hotels
Restaurants
Scuba diving

Travel dest.
Asia
Africa
Caribbean
Central America
Europe
Middle East
North America
South America
Oceania

Various
Dating
Diets
Digital camera
Divx movies
Education
Fishing
Fonts
Health
Jobs
Kids
Movies
Real estate
Shopping
Skiing
Sports
Supplements
Telecom
Translators

Webmaster
Domain names
Ecommerce
Free resources
Shoppingcarts
Webdesign
Webhosting

zzz

More topics.....

Virus update 22.8.2003

W32.Sobig.F@mm virus

Names:
Sobig.F [F-Secure], W32/Sobig.f@MM [McAfee], WORM SOBIG.F
[Trend], W32/Sobig-F [Sophos], Win32.Sobig.F [CA],
I-Worm.Sobig.f [KAV]

W32.Sobig.F@mm

Fast mailing, network-aware worm which sends itself to email addresses it finds in the files that have the following extensions:

.htm
.html
.dbx
.eml
.hlp
.mht
.wab
.txt

The worm uses its own SMTP code to propagate and will attempt to create a copy of itself on
accessible network shares.

What it does:

When W32.Sobig.F@mm is executed, it performs the following actions:

1.Copies itself as %Windir%\winppr32.exe.

NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default,
this is C:\Windows or C:\Winnt) and copies itself to that location.

2.Creates the file, %Windir%\winstt32.dat.

3.Adds the value:

"TrayX"="%Windir%\winppr32.exe /sinc"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

4.Adds the value:

"TrayX"="%Windir%\winppr32.exe /sinc"

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

5.Enumerates any network shares to which the infected computer has write access. The worm
uses standard Windows APIs to do this.

How to stop it

Windows NT/2000/XP
To end the Trojan process:
a.Press Ctrl+Alt+Delete once.
b.Click Task Manager.
c.Click the Processes tab.
d.Double-click the Image Name column header to alphabetically sort the processes.
e.Scroll through the list and look for Winppr32.exe.
f.If you find the file, click it, and then click End Process.
g.Exit the Task Manager.

Deleting the value from the registry

a.Click Start, and then Run.
b.Type regedit
c.Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

d.In the right pane, delete the value:

"TrayX"="%Windir%\winppr32.exe /sinc"

e.Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

f.In the right pane, delete the value:

"TrayX"="%Windir%\winppr32.exe /sinc"

g.Exit the Registry Editor.

Removal tool

Free removal tool here