I just got 1300 messages with this one in it!!!! Trend says medium alert...Id rate it much higher! http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F QUICK LINKS Solution ---------------------------------------------------------------------------- ---- Virus type: Worm Destructive: No Aliases: Win32.HLLM.Reteras, W32.Sobig.F@mm, W32/Sobig.f@MM, Sobig.F, Win32.Sobig.F, W32/Sobig-F, I-Worm.Sobig.f Pattern file needed: 617 Scan engine needed: 6.100 Overall risk rating: Medium ---------------------------------------------------------------------------- ---- Reported infections: Medium Damage Potential: High Distribution Potential: High ---------------------------------------------------------------------------- ---- Description: TrendLabs has received several infection reports of this mass-mailing worm from Norway and Spain. As of 12:19 PM GMT, Trend Micro has declared a Medium Risk alert to control the spread of this malware. This worm propagates by mass-mailing copies of itself using its own Simple Mail Transfer Protocol (SMTP) engine. It collects email addresses from files with the following extensions: DBX HLP MHT WAB HTML HTM TXT EML It sends out email messages with the following details: Subject: <any of the following:> Re: Thank you! Thank you! Re: Details Re: Re: My details Re: Approved Re: Your application Re: Wicked screensaver Re: That movie Message body: <any of the following:> See the attached file for details. Please see the attached file for details. Attachment: <any of the following:> your_document.pif document_all.pif thank_you.pif your_details.pif details.pif document_9446.pif application.pif wicked_scr.scr movie0045.pif It may spoof the FROM field using email addresses found on the infected machine so that its email messages appear to originate from one source but was actually sent from another. This worm deactivates its propagation routine on September 10, 2003. This worm runs on Windows 95, 98, ME, NT, 2000, and XP. Solution: AUTOMATIC REMOVAL INSTRUCTIONS To automatically remove this malware from your system, please use the Trend Micro System Cleaner. MANUAL REMOVAL INSTRUCTIONS Identifying the Malware Program To remove this malware, first identify the malware program. Scan your system with your Trend Micro antivirus product. NOTE all files detected as WORM_SOBIG.F. Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro?s free online virus scanner. Terminating the Malware Program This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier. Open Windows Task Manager. On Windows 95/98/ME systems, press CTRL+ALT+DELETE On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, then click the Processes tab. In the list of running programs*, locate the malware file or files detected earlier. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system. Do the same for all detected malware files in the list of running processes. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. *NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. To remove the malware autostart entries: Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows> CurrentVersion>Run In the right panel, locate and delete the entry or entries: TrayX = "%Windows%\winppr32.exe /sinc" (Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.) In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>Windows> CurrentVersion>Run In the right panel, locate and delete the entry or entries: TrayX = "%Windows%\winppr32.exe /sinc" Close Registry Editor. NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system. Deleting Dropped File Right-click Start then click Search? or Find? depending on your version of Windows. In the Named input box, type: WINSTT32.DAT In the Look In drop-down list, select the drive which contains Windows, then press Enter. Once located, select the file then hit Delete. Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as WORM_SOBIG.F. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro?s free online virus scanner. For product specific solutions, please refer to Solution 16031 of Trend Micro's Knowledge Base. Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC. For additional information about this threat, see Technical Details. ******************************************************** This Week's Sponsor - RTO Software / TScale What's keeping you from getting more from your terminal servers? Did you know, in most cases, CPU Utilization IS NOT the single biggest constraint to scaling up?! Get this free white paper to understand the real constraints & how to overcome them. SAVE MONEY by scaling-up rather than buying more servers. http://www.rtosoft.com/Enter.asp?ID=148 ********************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm