Virus Profile: W32/Sobig.f@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 8/18/2003
Date Added: 8/18/2003
Origin: Unknown
Length: approx 72,568 Bytes
Type: Virus
Subtype: Internet Worm
DAT Required: 4287
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existence of the WINPPR32.EXE file in %WinDir%
  • Existence of the Registry hooks detailed above
  • Unexpected NTP traffic to remote servers

Methods of Infection

This worm propagates via email (contains its own SMTP engine) and attempts to spread via accessible network shares.  To prevent the downloading of updates by the worm, it is recommended that UDP ports 995-999 and 8998 are blocked.

Aliases

W32.Sobig.F@mm (NAV), WORM_SOBIG.F (Trend)
   

Virus Characteristics

-- Update September 22, 2003 --
 The risk assessment was lowered to Low-Profiled.

This detection is for a new variant of W32/Sobig. In common with previous variants, the worm is written in MSVC, and bears the following characteristics:

  • propagates via email, constructing outgoing messages with its own SMTP engine
  • propagates over network shares (not confirmed during testing)

Note: The worm carries garbage data appended to end of file, so exact filesize and file checksum may vary.

Installation

The worm copies itself onto the victim machine as WINPPR32.EXE into %Windir%, for example:

C:\WINNT\WINPPR32.EXE

A configuration file is also dropped to %Windir%:

C:\WINNT\WINSTT32.DAT

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc

Mail Propagation

The worm mails itself to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files with the following extensions:

  • DBX
  • HLP
  • MHT
  • WAB
  • EML
  • TXT
  • HTM
  • HTML

Outgoing messages are constructed as follows:

From: (may be admin@internet.com but could be virtually any address)

Subject:

  • Your details
  • Thank you!
  • Re: Thank you!
  • Re: Details
  • Re: Re: My details
  • Re: Approved
  • Re: Your application
  • Re: Wicked screensaver
  • Re: That movie

Attachment:

  • your_document.pif
  • document_all.pif
  • thank_you.pif
  • your_details.pif
  • details.pif
  • document_9446.pif
  • application.pif
  • wicked_scr.scr
  • movie0045.pif

Body:

  • See the attached file for details
  • Please see the attached file for details

The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.

The attachment must be run manually to infect the local system.  Additionally, messages sent by the virus contain the following fields (note, these are commonly found in valid email messages):

  • X-MailScanner: Found to be clean
  • X-Mailer: Microsoft Outlook Express 6.00.2600.0000

The virus sends itself via its own SMTP engine, which requires an ESMTP server to send itself successfully.  The virus does an MX lookup on the target domain (ie. when sending itself to user@domain.com, it sends though the servers specified in the MX record for domain.com).

Contacting Remote NTP Servers

The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination UDP port 123).

  • 200.68.60.246
  • 62.119.40.98
  • 150.254.183.15
  • 132.181.12.13
  • 193.79.237.14
  • 131.188.3.222
  • 131.188.3.220
  • 193.5.216.14
  • 193.67.79.202
  • 133.100.11.8
  • 193.204.114.232
  • 138.96.64.10
  • chronos.cru.fr
  • 212.242.86.186
  • 128.233.3.101
  • 142.3.100.2
  • 200.19.119.69
  • 137.92.140.80
  • 129.132.2.21

The worm obtains the UTC time from one of these servers which is used by the worm to determine when to attempt to download remote file(s).

Self-Termination

In common with previous W32/Sobig variants, this variant contains a date triggered self-termination routine. If the date is September 10th 2003 or later, the worm will no longer propagate.

Downloading Functionality

The worm is capable of retrieving file(s) from a remote server - the specific URL of which is controlled by the author, and is issued in response to data sent from infected machines.

At a specific time (as determined via NTP), the worm sends data from infected machines to a number of remote systems on UDP port 8998:

  • 12.158.102.205
  • 12.232.104.221
  • 218.147.164.29
  • 24.197.143.132
  • 24.202.91.43
  • 24.206.75.137
  • 24.210.182.156
  • 24.33.66.38
  • 61.38.187.59
  • 63.250.82.87
  • 65.177.240.194
  • 65.92.186.145
  • 65.92.80.218
  • 65.93.81.59
  • 65.95.193.138
  • 66.131.207.81
  • 67.73.21.6
  • 67.9.241.67
  • 68.38.159.161
  • 68.50.208.96

The specific time condition for this event is between 19:00 - 22:00 (UTC) on a Friday or Sunday.  These IP addresses are in the process of trying to be shutdown.

   

DAT Files
Detection is included in the 4287 DAT files . In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Stand Alone Remover
Stinger has been updated to include detection/removal of this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the process WINPPR32.EXE
  2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
    • WINPPR32.EXE
    • WINSTT32.DAT
  3. Edit the registry
    • Delete the "TrayX" value from
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run
      • HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run

Additional Windows ME/XP removal considerations

Sniffer Customers: Filters have been developed that will look for Sobig.f UDP traffic (ports 123 and ports 8998) [Sniffer Distributed 4.3 and Sniffer Portable 4.7.5].

ThreatScan users:
The latest ThreatScan signature (2003-08-20) includes detection of the Sobig.f virus. This signature is available for ThreatScan v2.0, v2.1, and v2.5.

To update your ThreatScan installations with the latest signatures perform the following tasks:

- From within ePO open the "Policies" tab.
- Select "McAfee ThreatScan" and then select "Scan Options"
- In the pane below click the "Launch AutoUpdater" button.
- Using the default settings proceed through the dialogs that appear. Upon successful completion of the update a message will appear stating that; update 2003-08-20 has completed successfully.

- From within ePO create a new "AutoUpdate on Agent(s)" task.
- Go into the settings for this task and ensure that the host field is set to ftp.nai.com , the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields are both set to ftp. Note that "tsc20" in the above path is used for ThreatScan 2.0 and 2.1. The correct path for ThreatScan 2.5 is "tsc25".

- Launch this task against all agent machines.
- When the task(s) complete information will be available in the "Task Status Details" report.

To create and execute a new task with the new Hot Fix functionality do the following:

- Create a new ThreatScan task.
- Edit the settings of this task.
- Edit the "Task option", "Host IP Range" to include all desired machines to scan.

To scan for the Sobig.f virus infection:

- Select the "Remote Infection Detection" category and "Windows Virus Checks" template. -or-
- Select the "Other" category and "Scan All Vulnerabilities" template.
- Launch the scan.

For additional information:

- Run the "ThreatScan Template Report"
- Look for module number 4053