Date: Thu, 28 Mar 2024 06:41:29 -0400 (EDT) Message-ID: <789474875.461.1711622489425@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_460_928682851.1711622489423" ------=_Part_460_928682851.1711622489423 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The CERT/CC has been receiving a large volume of reports of a mass maili= ng worm, referred to as W32/Sobig.F, spreading on the Internet. New informa= tion indicates that this worm has additional capabilities that were not rea= lized at the time it first began propagating.
The W32/Sobig.F worm is an email-borne malicious program with a speciall= y crafted attachment that has a .pif extensio= n. The email messages may appear from random addresses and have a Subject: line such as
The following attachment names have been observed in email messages carr= ying the worm:
The worm requires a user to execute the malicious attachment either manu= ally or by using an email client that will open the attachment automaticall= y. Upon successful execution, the worm installs itself as C:\%windir%\winppr.exe and also creates the file C:\%windir%\winstt32.dat. An entry is also added to the Ru= n registry key so that this executable will be run upon system restart. The= key installed in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers= ion\Run is ScanX with the value "c:\winnt\winppr.exe= /sinc". The program then proceeds to scan files with certain extens= ions (htm, html, dbx, hlp, mht, txt, wab) on the compromised system for val= id email addresses, and it uses an internal SMTP engine to email itself to = those addresses.
The worm uses the Network Time Protocol (NTP) to determine the current t= ime. The worm also includes code that attempts to contact a list of 20 pred= efined IP addresses on port 8998/UDP on Fridays and Sundays between 1900 an= d 2200 UTC (starting at 1900 UTC on August 22, 2003). Is it believed that a= location from which additional code can be downloaded is sent over this ch= annel. The list of IP addresses appears as follows:
The worm is believed to have a programmed "shut down" date of September = 10, 2003, at which time it is expected to stop propagating.
Anti-virus vendors have developed signatures for W32/Sobig.F:
In addition to following the steps outlined in this section, the CERT/CC= encourages home users to review the "Home Network Security" and "Home Computer Security" do= cuments.
While an up-to-date antivirus software package cannot protect against al= l malicious code, for most users it remains the best first-line of defense = against malicious code attacks. Users may wish to read IN-2003-01 for more information on anti-virus sof= tware and security issues.
Most antivirus software vendors release frequently updated information, = tools, or virus databases to help detect and recover from malicious code, i= ncluding W32/Sogib.F. Therefore, it is important that users keep their anti= virus software up to date. The CERT/CC maintains a partial list of antivirus vendors.= p>
Many antivirus packages support automatic updates of virus definitions. = The CERT/CC recommends using these automatic updates when available.
Never download, install, or run a program unless you know it to be autho= red by a person or company that you trust. Email users should be wary of un= expected attachments, while users of Internet Relay Chat (IRC), Instant Mes= saging (IM), and file-sharing services should be particularly wary of follo= wing links or running software sent to them by other users since these are = commonly used methods among intruders attempting to build networks of distr= ibuted denial-of-service (DDoS) agents.
Sites are encouraged to block network access to the following relevant p= orts at network borders. This can minimize the potential of denial-of-servi= ce attacks originating from outside the perimeter. The specific services th= at should be blocked include
Sites should consider blocking both inbound and outbound traffic = to these ports, depending on network requirements, at the host and network = level.
If access cannot be blocked for all external hosts, the CERT/CC recommen= ds limiting access to only those hosts that require it for normal operation= . As a general rule, the CERT/CC recommends filtering all types of n= etwork traffic that are not required for normal operation.
If you believe a system under your administrative control has been compr= omised, please follow the steps outlined in
The CERT/CC is tracking activity related to this worm as CERT#30979. Rel= evant artifacts or activity can be sent to cert@cert.org with the appropria= te CERT# in the subject line.
Copyright 2003 Carnegie Mellon University.
Revision History
August 22, 2003: Initial Release
=