Virus Database

I-Worm.Sobig.f

Description I-Worm.Sobig.f
Sobig.f is a worm spreading via the Internet as a file attached to infected emails. The Sobig.f worm also spreads through shared network resources.
The worm itself is a Windows PE EXE file that is written in Microsoft Visual C++ and is compressed by the TeLock utility. Its file sizes are typically around 70 KB when compressed (TeLock), while its decompressed size is about 100 KB.
The Sobig.f worm activates only when a user double clicks on the attached file. Once the worm is launched it installs itself in the system and runs its spreading routine.

Installation
During installation the worm copies itself into the Windows directory under the name winppr32.exe and registers itself in the system registry autorun keys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
TrayX = %WindowsDir%winppr32.exe/sinc

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
TrayX = %WindowsDir%winppr32.exe/sinc


Spreading via email
To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, WAB, MHT and HLP files in all directories on all available local drives, scans for e-mail like text strings and sends infected e-mails to these addresses. To send infected messages the worm uses the SMTP engine specified in the system properties.
Below are variations of Sobig.f message content:
The From field has fake email address (found on the infected machine) or admin@internet.com.
Subject:
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My Re: Your Thank you!
Re: Thank you!
Message Body:
See the attached file for Please see the attached file for details.
Attached file name:
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif
The worm also creates the file winstt32.dat in the Windows directory and writes the email addresses that were found on the infected machine to this file.


Spreading via network
The worm scans all accessible network resources (other computers in a network) and copies itself to the auto-start directories (if there are such subdirectories) of each resource (computer) found.


Updating
The worm sends UDP packets at random IP addresses to port 8998 and awaits commands from the 'master' machine. The commands contain URLs from which Sobig.f downloads and executes files. Thus, the worm is able to upgrade itself and/or install other applications (Trojans for instance).
Loading additional files
The worm launches a procedure that every 60 minutes checks the current time according to Greenwich meantime. To do this it sends out queries via NTP servers (Network Time Protocol). SoBig.F keeps an internal log from 19 NTP servers; following are the IP addresses of these NTP servers:
200.68.60.246
62.119.40.98
150.254.183.15
132.181.12.13
193.79.237.14
131.188.3.222
131.188.3.220
193.5.216.14
193.67.79.202
133.100.11.8
193.204.114.232
138.96.64.10
chronos.cru.fr
212.242.86.186
128.233.3.101
142.3.100.2
200.19.119.69
137.92.140.80
129.132.2.21

When an NTP server does not reply, the worm invokes the system function for learning the current time - 'gmtime'. On Fridays and Sundays when the current GM time is between 19:00 and 23:00, the worm begins to download additional files. To download these files it sends out UDP (User Datagram Protocol) packets via the IP address assigned to port 8998. SoBig.f maintains a list of IP addresses in an encoded file. Currently these sites are blocked and therefore do not respond to queries.
List of encoded IP addresses:
67.73.21.6
68.38.159.161
67.9.241.67
66.131.207.81
65.177.240.194
65.93.81.59
65.95.193.138
65.92.186.145
63.250.82.87
65.92.80.218
61.38.187.59
24.210.182.156
24.202.91.43
24.206.75.137
24.197.143.132
12.158.102.205
24.33.66.38
218.147.164.29
12.232.104.221
68.50.208.96

The SoBig.f worm receives replies to its queries in the form of a UDP packet via port 8998. This packet contains an encoded URL (Uniform Resource Locator) file. The SoBig.f worm downloads this file and executes it.
Other
All worm routines are active until September 10, 2003.

Check other viruses! Be aware! Use Antiviral Software

ChaosYears Family

Description ChaosYears Family

These are dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM- and EXE-files on their opening or execution. Sometimes the viruses erase disk sectors and then decrypt and display the message:
YOUR DISK HAS BEEN DESTROYED BY THE " CHAOS YEARS " VIRUS all
ACCEPT MY SINCERE SYMPATHY !
SIGNED : THE DARK AVENGER .

Chapa Family

Description Chapa Family

These are memory resident parasitic viruses. They hook INT 21h and write themselves to the beginning of COM-files that are executed. The viruses contain the text strings:
"Chapa.447": ANTI "T.M.E.- VARNA",VIRUS BY MIK
"Chapa.448": V.Black LoveCM
"Chapa.450.a": CHAPA
"Chapa.450.b": T.M.E. - VARNA
"Chapa.450.c": *BY APAHC*
"Chapa.566": ANTI "T.M.E.- VARNA",VIRUS BY MIK.F;
"Chapa.572": 21/10/95 - "Black Love".
May Autor is Mr.Loverman T.M.E - Varna.
"Chapa.586": *"MG-VARNA" THE BEST SCHOOL ALL THE WORLD. BY APAHC*

All these viruses except "Chapa.450.a,c" also hook INT 13h and depending on the system timer corrupt the data that are stored on disk.

Home