Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sobig.F

Win32/Sobig.F is a worm spreading as a file in an attachment of electronic mail messages. The worm has a length from 72 to 75 Kb and is compressed.

Win32/Sobig.F arrives with the message having one of following subjects:

Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Details
Your details
Re: Approved
Re: Re: My details
Thank you!

The body of the message is one sentence long, and is chosen from following two options:

Please see the attached file for details.
See the attached file for details

There is a file containing the worm in the attachment having variable name with the extension .pif, e.g. your_details.pif.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.

After running the worm is copied into the directory %windir% under the name winppr32.exe. It has length of 72568 bytes. The worm assures its activation after restarting the operation system by creation of an item TrayX in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. It sets its value to %windir%\winppr32.exe /sinc.

The worm acquires the e-mail addresses for its spreading from files located on the hard disk of an infected computer having extensions HTM, DBX, WAB, etc.

Win32/Sobig.F has the ability of spreading also in local area networks.

NOD32 detects the Win32/Sobig.F from version 1.489.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.