W32/Sobig@MM Virus Family - U-M Virus Busters

The W32/Sobig.F@MM Virus Spreads Rapidly; Forges Its "From:" Field

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)
Last significant update: 20 August, 2003

This information can be freely reproduced in any medium, as long as the information is unmodified.

The Sobig virus family affects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, see plenty of infected email from Sobig.F, in particular, so its "annoyance factor" is large. Perhaps unbearably large.

The first Sobig variant (W32/Sobig.A) was discovered in January 2003; the second variant, W32/Sobig.B (a.k.a. Palyh a.k.a. Mankx) appeared on 18 May, 2003. Both of these variants were no particular problem -- although both forged their "From:" address, they were easy to prevent at the email gateway.
W32/Sobig.C, discovered 31 May, 2003, was a much larger problem, but it was programmed to stop spreading on 8 June, 2003. W32/Sobig.D was a flop, Sobig.E was a significant problem, and W32/Sobig.F, discovered 19 August 2003, seems to be the most troublesome to date.
We released the VirusScan 4287 drivers -- which cover W32/Sobig.F -- at 10:44 EDT on 19 August 2003, so U-M Windows users who have VirusScan installed and updating itself automatically should have been protected against Sobig.F within an hour or so thereafter. If you opened infected email, though, before the autoupdate occurred -- NEVER open unsolicited email attachments, even when they appear to be from someone you know and trust. [Instead, ask the sender if s/he sent it, and what it is, and demand a sufficiently detailed answer that a virus would be unable to generate. Better yet, ask over the phone or in person; no virus can forge that!]
Also: even if you have the current drivers, that does not mean that one will not see huge numbers of emails from victims of this virus....

We have seen a lot of copies of Sobig.F here at the University, and it definitely is out "In The Wild" in a very large degree.

The main features of Sobig.F are these:

It forges its From: field, so that recipients of email with Sobig.F-infected attachments seem to get it from someone who was not the actual sender (and is not the real Sobig.F victim)

The text always is merely

    Please see the attached file for details.
   or
    See the attached file for details.

The Subject: line will be one of the following:
- Your details
- Thank you!
- Re: Thank you!
- Re: Details
- Re: Re: My details
- Re: Approved
- Re: Your application
- Re: Wicked screensaver
- Re: That movie
Antivirus vendors report that the virus uses these names for attachments:
- your_document.pif
- document_all.pif
- thank_you.pif
- your_details.pif
- details.pif
- document_9446.pif
- application.pif
- wicked_scr.scr
- movie0045.pif
Obviously, you should not attempt to open the attachment.... But then again, at the risk of sounding like a broken record: you never should open unsolicited attachments -- not even when they appear to be from someone you know and trust.
Sobig.F will scavenge the victimized computer for text that looks like email addresses, and forge email as if it were from those addresses as well. Hence if you get email from an address you recognize but it contains an unexpected attachment, BEWARE ! : Sobig.F probably forged the address and sent you an infected attachment. Don't be fooled!
Sobig.F can spread via open network shares. I recommend that you disable File and Print Sharing, or at least password protect all shared resources.
According to some vendors, there is code in Sobig.F that will allow your computer to be hacked.
Sobig.F is programmed to stop replicating on 10 September, 2003. But based on previous versions, we can expect to see it longer than that....

The main properties about Sobig.F are that it spreads very successfully, and the forged From:field. Here is what happens frequently:

Person A's computer gets infected
Sobig.F harvests email addresses fron that computer, including addresses for persons B and C
Sobig.F sends email from A's computer, using a "From:" address of person B, and a "To:" address of person C.
Person C's antivirus software notices that the email "from" person B is infected, so C emails B to warn him or her.
Person B scans his or her computer and finds no virus; person B is very confused.
Note: Sometimes the role of Person C is played by a well-meaning but foolishly configured antivirus scanner for email gateways. See below.

What should you do if:

If know you are infected by Sobig.F?
Easy: disinfect with current, top quality antivirus software. University folks can get such software here.
There is an excellent tool for doing this -- it also handles a fair number of other viruses that are particularly nasty. It's NAI's free! Stinger tool (leaving our site). If you use Stinger, be sure to follow all the instructions they provide -- in particular, if you use WinME or WinXP, disabling System Restore. Otherwise, you'll be wasting time and effort. I recommend booting in Safe Mode also.
Also, note that while Stinger removes a few nasty viruses, it does NOT detect most of the 77000+ viruses known to exist -- nor does it protect you from getting reinfected. For that, you must use normal antivirus software.
One more time: Stinger is for detection and removal only, not protection.
You receive email you suspect is infected with Sobig.F -- or other viruses, for that matter?
That's up to you; for suggestions, see our What to do with suspicious email document.
You receive email that claims you are sending Sobig.F-infected email?
This is a bit more involved:
1. First, you probably are not infected, particularly if you are getting email from the recipient or from some automated announcement system: most of these alerts are well intentioned, but they do not check the full email headers to see who the real sender is.
  [Of course, if you get email from us saying that you are infected, or personal email from others who ought to know, then there is a much higher chance that your computer is infected. But everyone makes mistakes, so it's not a sure thing!]
2. Nonetheless, you should check that your computer has top quality antivirus software installed, and that it is current, and that you do not have any viruses on your machine.
3. Assuming that you have no viruses on your computer, you may want to ask the sender of the alert for more information. In particular, you'll need full email headers; when you receive them, pass this information along to your competent antivirus support personnel. Better yet, Cc: those support folks in your original request, and ask that the full headers, etc., be sent to the support personnel directly.
  U-M folks: you can request that this information be sent to the U-M Virus Busters Team, of course.
For technical info on Sobig.F, see e.g. Network Associates write-up on Sobig.F (leaving our site) or F–Secure's write up (leaving our site).

The URL for this document is http://www.umich.edu/~virus-busters/sobig-f.html

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

-BPB

Last updated: Wednesday, 20-Aug-2003 02:14:31 EDT.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since 20 August, 2003 01:34 EDT