[pchelpers] SoBig virus

• From: "PcCowboy" <saddle@xxxxxxxxxxxxxxxxxxx>
• To: "pchelper" <pchelpers@xxxxxxxxxxxxx>,"world" <worldparadise@xxxxxxxxxxxxxxx>
• Date: Sun, 24 Aug 2003 21:59:46 -0500

I checked this out and it is the real removal tool.
1. Sobig.F Virus - Complete Removal Tool
W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself
to all the email addresses it finds in files that have the following
extensions: .dbx .eml .hlp .htm .html .mht .wab .txt. The worm uses
its own SMTP engine to propagate and attempts to create a copy of
itself on accessible network shares, but fails due to bugs in the
code. 

The email message has the following characteristics: From:
Spoofed address - which means that the sender in the From: field is
most likely not the real sender. The worm may also use the address
admin@xxxxxxxxxxxx as the sender. The spoofed addresses and the Send
To: addresses are both taken from the files found on the computer.
Also, the worm may use the infected computer's settings to check for
an SMTP server to contact. Proliferated emails have one of the
following as their subject: Re: Details, Re: Approved, Re: Re: My
details, Re: Thank you!, Re: That movie, Re: Wicked screensaver, Re:
Your application, Thank you!, Your details. 

Sobig.f copies itself as %Windir%\winppr32.exe. %Windir% is a
variable. The worm locates the Windows installation folder - by
default, this is C:\Windows or C:\Winnt - and copies itself to that
location. It creates the file, %Windir%\winstt32.dat., adds the value:
TrayX=%Windir%\winppr32.exe /sinc to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so
that the worm runs when you start Windows. It adds the value:
TrayX=%Windir%\winppr32.exe /sinc to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run so
that the worm runs when you start Windows. It enumerates any network
shares to which the infected computer has write access. It uses
standard Windows APIs to do this.

Sobig.F can download arbitrary files to an infected computer and
execute them. The author of the worm has used this functionality to
steal confidential system information and to set up spam relay servers
on infected computers.

The worm is set to expire on September 10th., and should be over
thereafter. In the meantime, even if your regular anti-virus software
has removed discovered virus files, one should run this tool as an
extra precaution. Windows 95/98/Me/NT/2000/XP. Free. 172Kb. Found at
http://www.tudogs.com/security.php


Pc


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Good advice is like good paint- it only works if applied.

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription