View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>W32/Sobig.F Worm</h2>

Release Date: August 22, 2003<p>
<h3>Overview</h3>
<p>The CERT/CC has been receiving a large volume of reports of a mass
mailing worm, referred to as W32/Sobig.F, spreading on the Internet.
New information indicates that this worm has additional capabilities
that were not realized at the time it first began propagating.

<h3>Description</h3>
<p>The W32/Sobig.F worm is an email-borne malicious program with a
specially crafted attachment that has a <font face="courier">.pif</font>
extension.  The email messages may appear from random addresses and
have a <font face="courier">Subject:</font> line such as

<ul>
<li>Re: Thank You!</li>
<li>Thank You!</li>
<li>Your details</li>
<li>Re: Details</li>
<li>Re: Re: My details</li>
<li>Re: Approved</li>
<li>Re: Your application</li>
<li>Re: Wicked screensaver</li>
<li>Re: That movie</li>
</ul>
<p>The following attachment names have been observed in email messages
carrying the worm:

<ul>
<li>your_document.pif</li>
<li>document_all.pif</li>
<li>thank_you.pif</li>
<li>your_details.pif</li>
<li>details.pif</li>
<li>document_9446.pif</li>
<li>application.pif</li>
<li>wicked_scr.scr</li>
<li>movie0045.pif</li>
</ul>
<p>The worm requires a user to execute the malicious attachment either
manually or by using an email client that will open the attachment
automatically.  Upon successful execution, the worm installs itself as
<font face="courier">C:\%windir%\winppr.exe</font> and also creates
the file <font face="courier">C:\%windir%\winstt32.dat</font>. An
entry is also added to the Run registry key so that this executable
will be run upon system restart.  The key installed in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is
ScanX with the value "<font face="courier">c:\winnt\winppr.exe
/sinc</font>". The program then proceeds to scan files with certain
extensions (htm, html, dbx, hlp, mht, txt, wab) on the compromised
system for valid email addresses, and it uses an internal SMTP engine
to email itself to those addresses.

<p>The worm uses the Network Time Protocol (NTP) to determine the
current time.  The worm also includes code that attempts to contact a
list of 20 predefined IP addresses on port 8998/UDP on Fridays and
Sundays between 1900 and 2200 UTC (starting at 1900 UTC on August 22,
2003).  Is it believed that a location from which additional code can
be downloaded is sent over this channel.  The list of IP addresses
appears as follows:

<ul>
<li>12.158.102.205</li>
<li>12.232.104.221</li>
<li>218.147.164.29</li>
<li>24.197.143.132</li>
<li>24.202.91.43</li>
<li>24.206.75.137</li>
<li>24.210.182.156</li>
<li>24.33.66.38</li>
<li>61.38.187.59</li>
<li>63.250.82.87</li>
<li>65.177.240.194</li>
<li>65.92.186.145</li>
<li>65.92.80.218</li>
<li>65.93.81.59</li>
<li>65.95.193.138</li>
<li>66.131.207.81</li>
<li>67.73.21.6</li>
<li>67.9.241.67</li>
<li>68.38.159.161</li>
<li>68.50.208.96</li>
</ul>
<p>The worm is believed to have a programmed "shut down" date of
September 10, 2003, at which time it is expected to stop propagating.

<p>Anti-virus vendors have developed signatures for W32/Sobig.F:
<dl>
<dd><a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html</a></dd>
<dd><a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F">http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F</a></dd>
<dd><a href="http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&amp;hcName=sobig">http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&amp;hcName=sobig</a></dd>
<dd><a href="http://www.f-secure.com/v-descs/sobig_f.shtml">http://www.f-secure.com/v-descs/sobig_f.shtml</a></dd>
<dd><a href="http://www.sophos.com/virusinfo/analyses/w32sobigf.html">http://www.sophos.com/virusinfo/analyses/w32sobigf.html</a></dd>
</dl></p>
<h3>Solutions</h3>
<p>In addition to following the steps outlined in this section, the
CERT/CC encourages home users to review the "<a href="http://www.cert.org/tech_tips/home_networks.html">Home Network
Security</a>" and "<a href="http://www.cert.org/homeusers/HomeComputerSecurity/">Home
Computer Security</a>" documents.

<h4>Run and maintain an anti-virus product</h4>
<p>While an up-to-date antivirus software package cannot protect
against all malicious code, for most users it remains the best
first-line of defense against malicious code attacks. Users may wish
to read <a href="http://www.cert.org/incident_n
otes/IN-2003-01.html">IN-2003-01</a> for more information on
anti-virus software and security issues.</p>
<p>Most antivirus software vendors release frequently updated
information, tools, or virus databases to help detect and recover from
malicious code, including W32/Sogib.F. Therefore, it
is important that users keep their antivirus software up to date. The
CERT/CC maintains a <a href="http://www.cert.org/other_sources/viruses.html">partial
list</a> of antivirus vendors.</p>
<p>Many antivirus packages support automatic updates of virus
definitions. The CERT/CC recommends using these automatic updates when
available.</p>
<h4>Do not run programs of unknown origin</h4>
<p>Never download, install, or run a program unless you know it to be
authored by a person or company that you trust.  Email users should be
wary of unexpected attachments, while users of Internet Relay Chat
(IRC), Instant Messaging (IM), and file-sharing services should be
particularly wary of following links or running software sent to them
by other users since these are commonly used methods among intruders
attempting to build networks of distributed denial-of-service (DDoS)
agents.</p>
<h4>Filter network traffic</h4>
<p>Sites are encouraged to block network access to the following
relevant ports at network borders.  This can minimize the potential of
denial-of-service attacks originating from outside the perimeter.  The
specific services that should be blocked include

<ul>
<li>123/UDP</li>
<li>995/UDP</li>
<li>996/UDP</li>
<li>997/UDP</li>
<li>998/UDP</li>
<li>999/UDP</li>
<li>8998/UDP</li>
</ul>
<p>Sites should consider blocking both inbound <i>and</i> outbound
traffic to these ports, depending on network requirements, at the host
and network level.

<p>If access cannot be blocked for all external hosts, the CERT/CC
recommends limiting access to only those hosts that require it for
normal operation.  As a general rule, the CERT/CC recommends filtering
<b>all</b> types of network traffic that are not required for normal
operation.

<h4>Recovering from a system compromise</h4>
<p>If you believe a system under your administrative control has been
compromised, please follow the steps outlined in</p>
<dl><dd><a href="http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">Steps
for Recovering from a UNIX or NT System Compromise</a></dd></dl>
<h4>Reporting</h4>
<p>The CERT/CC is tracking activity related to this worm as
CERT#30979.  Relevant artifacts or activity can be sent to
cert@cert.org with the appropriate CERT# in the subject line.


<p>
<hr noshade=""/>
<b>Authors</b>: Chad Dougherty and Brian King<br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2003 Carnegie Mellon University.</p>
<p>Revision History<br/>
<small>
August 22, 2003: Initial Release<br/>
</small></p></p></p></p></p></p></p></p></p></p></p></p></p></p>