Sobig-F worm: Sophos advises on how to prevent the worm from downloading a malicious update

August 22, 2003 Sophos Press Release

Code from the Sobig-F worm

Sophos experts have advised network and system administrators that they can take immediate action to prevent the W32/Sobig-F worm from downloading a potentially malicious update from the internet.

The worm contains a list of encrypted IP addresses inside its code, which the Sobig-F infected computers use to signal their availabilty for an update. Infected computers will communicate with the IP addresses on UDP port 8998. They will also be listening on UDP ports 995-999 - perhaps in readiness for the updates to arrive.

Sophos analysts have decrypted the list of IP addresses and have reproduced it below:

12.158.102.205
12.232.104.221
24.33.66.38
24.197.143.132
24.202.91.43
24.206.75.137
24.210.182.156
61.38.187.59
63.250.82.87
65.92.80.218
65.92.186.145
65.95.193.138
65.93.81.59
65.177.240.194
66.131.207.81
67.9.241.67
67.73.21.6
68.38.159.161
68.50.208.96
218.147.164.29

Sophos has attempted to contact the owners of the IP addresses, and some of the administrators have already taken action to block infected computers from communicating with them.

Sophos advises companies, major ISPs and internet backbone providers to consider blocking all access to the above list of IP addresses, as this will protect infected users on their network from receiving updates to W32/Sobig-F.

Another approach would be for network and system administrators to consider blocking NTP requests (except to trusted servers) so their infected computers do not know it is time to try and find the malicious update.

Administrators should also consider eliminating or restricting outbound use of UDP port 8998.

Customers should consult their firewall documentation, or contact their firewall provider for assistance in implementing these configuration changes.

Sophos has published more information about how to disinfect computers and prevent the Trojan download.