W32/Sobig-F disinfection instructions and FAQ
At the time of writing, the W32/Sobig-F worm is spreading rapidly in the wild. W32/Sobig-F travels via email and network shares. When it arrives via email W32/Sobig-F can pose as an attached PIF or SCR file. Launching the attached file infects the computer.
1. How do I remove W32/Sobig-F?2. Which operating systems are affected?
3. How do I know if my computer is infected with W32/Sobig-F?
4. How did my computer become infected?
5. I am receiving a great deal of unexplained email or delivery failure messages. Is my computer infected?
6. How do I avoid infection in the future?
7. Additional information on W32/Sobig-F
1. How do I remove W32/Sobig-F?
You can remove W32/Sobig-F automatically from Windows 95/98/Me and Windows NT/2000/XP/2003 computers with Resolve.
![[TOP]](/images/arrowtop.gif){kind=small}
2. Which operating systems are affected?
Windows 95/98/Me and Windows NT/2000/XP/2003 can be affected.
Other operating systems cannot be infected by W32/Sobig-F, but worm files may be dropped on open shares.
3. How do I know if my computer is infected with W32/Sobig-F?
Even if your computer is infected you may not be aware of this.
To check for W32/Sobig-F:
- look in the Windows folder for the file winppr32.exe
- add the W32/Sobig-F IDE to your installation of Sophos Anti-Virus and scan your computer
- check the Windows registry to see if W32/Sobig-F has set the entries listed in the W32/Sobig-F virus analysis.
4. How did my computer become infected?
W32/Sobig-F is a worm that spreads via email and network shares.
- You may have infected your computer by opening an infected email attachment.
- The worm may have gained access to your computer via a 'network share', i.e. a folder that you have made available to other users on your network.
See the W32/Sobig-F virus analysis for full details.
5. I am receiving a great deal of unexplained email or delivery failure messages. Is my computer infected?
Not necessarily. W32/Sobig-F can 'spoof' email addresses, i.e. use false sender details. The worm may be sending email out from some other person's computer, but has made it appear that the email comes from you. This can happen on any type of computer with an email account, not just on Windows computers.
If the email you are receiving is a problem, you can use security software to block emails with certain subject lines.
6. How do I avoid infection in the future?
Update your corporate anti-virus software now so that you can detect and prevent the W32/Sobig-F worm. If you do not have procedures for rapid updates, implement them now, because you are sure to need them again. Sophos Enterprise Manager is one way to help automate protection updates inside your company.
If possible, block all Windows programs at your email gateway. Some email applications can be configured to do this. It is rarely necessary to allow users to receive programs via email. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not. Sophos MailMonitor for SMTP contains pro-active threat reduction technology which can help you block dangerous filetypes and executable code at the email gateway.
7. Additional information on W32/Sobig-F
W32/Sobig-F uses the Network Time Protocol (NTP) to access one of several servers in order to determine the current date and time.
If the time returned by the NTP server is between 19:00 and 22:00 UTC+0 (which is 8pm-11pm UK time) on any Friday or Sunday, W32/Sobig-F sends a UDP packet to port 8998 of a remote server. This feature could be used to download and run a Trojan or additional worm components.
If the date is 10 September 2003 or later the worm stops working.
To prevent malicious code from being downloaded by W32/Sobig-F, Sophos strongly recommends that customers consider configuring company firewalls so outgoing connection attempts to UDP port 8998 are blocked.
Customers should consult their firewall documentation, or contact their firewall provider for assistance in implementing this configuration change.
