How to rid your computer of the SOBIG.F worm
dicentra at xmission.com
dicentra at xmission.com
Fri Aug 22 03:29:16 UTC 2003
These instructions come from the Trend Micro Virus Encyclopedia
www.trendmicro.com/vinfo/virusencyclo/
Description:
TrendLabs has received several infection reports of this mass-mailing worm
from Norway and Spain. As of August 19, 12:19 PM GMT, Trend Micro has
declared a Medium Risk alert to control the spread of this malware.
This worm propagates by mass-mailing copies of itself using its own Simple
Mail Transfer Protocol (SMTP) engine. It collects email addresses from files
with the following extensions:
* DBX
* HLP
* MHT
* WAB
* HTML
* HTM
* TXT
* EML
It sends out email messages with the following details:
Subject: <any of the following:>
Re: Thank you!
Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Your details
Message body: <any of the following:>
See the attached file for details.
Please see the attached file for details.
Attachment: <any of the following:>
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
It may spoof the FROM field using email addresses found on the infected
machine so that its email messages appear to originate from one source but
was actually sent from another.
This worm deactivates its propagation routine on September 10, 2003.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use the Trend
Micro System Cleaner.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
To remove this malware, first identify the malware program.
1. Scan your system with your Trend Micro antivirus product.
2. NOTE all files detected as WORM_SOBIG.F.
Trend Micro customers need to download the latest pattern file before
scanning their system. Other Internet users may use Housecall, Trend Micros
free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will
need the name(s) of the file(s) detected earlier.
1. Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the malware file or files
detected earlier.
3. Select one of the detected files, then press either the End Task or
the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running
processes.
5. To check if the malware process has been terminated, close Task
Manager, and then open it again.
6. Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show
certain processes. You may use a third party process viewer to terminate the
malware process. Otherwise, continue with the next procedure, noting
additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from
executing during startup.
To remove the malware autostart entries:
1. Open Registry Editor. To do this, click Start>Run, type Regedit, then
press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Run
3. In the right panel, locate and delete the entry or entries:
TrayX = "%Windows%\winppr32.exe /sinc"
(Note: %Windows% is the Windows folder, which is usually C:\Windows or
C:\WINNT.)
4. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Run
5. In the right panel, locate and delete the entry or entries:
TrayX = "%Windows%\winppr32.exe /sinc"
6. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as
described in the previous procedure, restart your system.
Deleting Dropped File
1. Right-click Start then click Search or Find depending on your
version of Windows.
2. In the Named input box, type:
WINSTT32.DAT
3. In the Look In drop-down list, select the drive which contains
Windows, then press Enter.
4. Once located, select the file then hit Delete.
More information about the HP4GU-FAQ
archive