W32/Sobig-F is a worm that spreads via email.
W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:
= <Windows folder>\winppr32.exe /sinc
= <Windows folder<\winppr32.exe /sinc
The worm sends itself, using its own SMTP engine, as an attachment to email addresses collected from various files on the victim's computer. When it distributes itself via email it forges the sender's email address, making it difficult to know who is truly infected.
The email has the following format:
Subject line: Chosen from -
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Re: My details
Message text: Chosen from -
Please see the attached file for details.
See the attached file for details
Attached file: Chosen from -
W32/Sobig-F also attempts to spread by copying itself to Windows network shares.
W32/Sobig-F uses the Network Time Protocol (NTP) to access one of several servers in order to determine the current date and time.
If the time returned by the NTP server is between 19:00 and 22:00 UTC+0 (which is 8pm-11pm UK time) on Friday or Sunday, W32/Sobig-F sends a UDP packet to port 8998 of a remote server. This feature could be used to download and run a Trojan or additional worm components.
To prevent malicious code from being downloaded by W32/Sobig-F, Sophos strongly recommends that customers consider configuring company firewalls so outgoing connection attempts to UDP port 8998 are blocked.
Customer should consult their firewall documentation, or contact their firewall provider for assistance in implementing this configuration change.
If the date is 10 September 2003 or later the worm stops working.