Date: Tue, 19 Aug 2003 14:14:14 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Virus Alert: Sobig.F Worm ------------------------- VIRUS ALERT: SOBIG.F WORM ------------------------- On August 18th a new variant of the Sobig Worm, called Sobig.F, began spreading very rapidly across the Internet via e-mail. It is also known by a variety of other names that contain the word "Sobig". We have seen a number of Sobig.F-infected e-mails here at BCPL.NET. The Sobig.F Worm infects Windows PCs. It does not infect Macintosh OS or UNIX computers. How The Sobig.F Worm Spreads ---------------------------- Sobig.F is spread in the form of an e-mail file attachment that installs the worm on the target PC if the attachment is opened. When a PC becomes infected, Sobig.F compiles a list of target e-mail addresses from addresses found in the address book, in saved e-mail, and in other files on the infected computer. It then mails infected file attachments to all those addresses. It does this each time the infected PC boots up and connects to the Internet. The e-mail carrying the infected file attachment is always in the following format: Subject: Chosen at random from the following list: - Your details - Thank you! - Re: Thank you! - Re: Details - Re: Re: My details - Re: Approved - Re: Your application - Re: Wicked screensaver - Re: That movie From Address: Selected by the virus from its list of target addresses, so the message may appear to come from someone you know. Message Text: Chosen at random from the following list: - See the attached file for details - Please see the attached file for details File Attachment: The name of the infected file attachment is chosen at random from the following list: - your_document.pif - document_all.pif - thank_you.pif - your_details.pif - details.pif - document_9446.pif - application.pif - wicked_scr.scr - movie0045.pif If you receive e-mail matching the above description, delete it. DO NOT open the file attachment! The Sobig.F Worm infection is not carried by e-mail intentionally sent by the owner of the infected PC. Sobig.F sends out its infected e-mail without the knowledge of the PC's owner, using mailer routines built into the worm. How To Protect Your PC From Sobig.F Worm Infection -------------------------------------------------- o If you have anti-virus software on your PC, *and* if it is configured to scan incoming e-mail for viruses, *and* if its virus description database is up to date enough to know about Sobig.F, then it will stop Sobig.F before it can infect your PC. However the virus description database must be *very* new. The Sobig.F Worm was discovered and described by the major anti-virus software vendors on August 18, 2003, so a virus description database older than that will not enable your anti-virus software to detect and stop Sobig.F. We recommend that you update your virus description database at least once a week, although given the rate at which new PC viruses appear once a day would be even better. If you do not keep your virus description database up to date, then your anti-virus software is virtually useless. o In the final analysis you are your own best defence against virus infection. All it takes is a bit of common sense. If you receive a message containing a file attachment DO NOT open the attachment unless ALL of the following are true: - The sender is known to you. - You are expecting a file attachment from that person. - The sender clearly identifies the nature of the file attachment in the text of the message. If any one of those three statements is not true, delete the message. DO NOT open the file attachment. When in doubt, get in touch with the apparent sender to confirm that he/she actually sent the file attachment. How To Remove the Sobig.F Worm From An Infected PC -------------------------------------------------- If your PC becomes infected by Sobig.F, and if you have anti-virus software on the PC, then your virus definition database must be too old to detect Sobig.F. Otherwise your anti-virus software would not have allowed the worm to infect your PC in the first place. Update your virus definitions database, then use the anti-virus software to scan your hard drive. If you do not have anti-virus software, or if you have trouble with the software vendor's instructions for dealing with a Sobig.F-infected PC, or if you just want a quick fix, we recommend that you download and run the "Stinger" utility provided free of charge by McAfee. You will find it on the McAfee web site at: http://vil.nai.com/vil/stinger/ Stinger will remove Sobig.F and several other recent worms and virus. Please follow the instructions on the Stinger web page very carefully! IMPORTANT: In order to remove Sobig.F you need Stinger version 1.8.3 (or later), which was posted to the Network Associates web site on August 18th. If you already have an older version of Stinger, it will not remove a Sobig.F infection. More Information About The Sobig.F Worm: --------------------------------------- The following URLs will take you to detailed information about Sobig.F on several well-known anti-virus Web sites: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100561 http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html http://www.F-Secure.com/v-descs/sobig_f.shtml http://www.sophos.com/virusinfo/analyses/w32sobigf.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091