Sobig-F worm: Sophos advises on how to prevent the worm from downloading a malicious update

Sophos Press Release

Code from the Sobig-F worm

Sophos experts have advised network and system administrators that they can take immediate action to prevent the W32/Sobig-F worm from downloading a potentially malicious update from the internet.

The worm contains a list of encrypted IP addresses inside its code, which the Sobig-F infected computers use to signal their availabilty for an update. Infected computers will communicate with the IP addresses on UDP port 8998. They will also be listening on UDP ports 995-999 - perhaps in readiness for the updates to arrive.

Sophos analysts have decrypted the list of IP addresses and have reproduced it below:

Sophos has attempted to contact the owners of the IP addresses, and some of the administrators have already taken action to block infected computers from communicating with them.

Sophos advises companies, major ISPs and internet backbone providers to consider blocking all access to the above list of IP addresses, as this will protect infected users on their network from receiving updates to W32/Sobig-F.

Another approach would be for network and system administrators to consider blocking NTP requests (except to trusted servers) so their infected computers do not know it is time to try and find the malicious update.

Administrators should also consider eliminating or restricting outbound use of UDP port 8998.

Customers should consult their firewall documentation, or contact their firewall provider for assistance in implementing these configuration changes.

Sophos has published more information about how to disinfect computers and prevent the Trojan download.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at