HOME > INCIDENT NOTES


   INCIDENT NOTES

CERT-In Incident Note CIIN-2003-03

W32.Sobig.F@mm worm

Original Issue Date: August 22, 2003

Severity: High

Type: Worm

Systems Affected:

  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows NT 4.0
  • Microsoft Windows 9X
  • Microsoft Windows ME
  • Microsoft Outlook/Express
  • Web-based e-mail programs

Overview

The worm propagates via email, constructing outgoing messages with its own SMTP engine and also over network shares. Most of the sender addresses are valid addresses that are being spoofed for malicious purposes. This worm has aliases viz Win32.HLLM.Reteras, W32.Sobig.F@mm, W32/Sobig.f@MM, Sobig.F, Win32.Sobig.F, W32/Sobig-F,I-Worm.Sobig.f.

Description

The worm is an email-borne malicious program with a specially crafted attachment with a .pif extension. The email messages may appear from random addresses and have a

Subject: line such as

  • Re: Thank You!
  • Re: Approved
  • Thank You!
  • Re: Your application
  • Your details
  • Re: Wicked screensaver
  • Re: Details
  • Re: That movie
  • Re: Re: My details

The attachments could be one of the following:

  • your_document.pif
  • document_all.pif
  • thank_you.pif
  • your_details.pif
  • details.pif
  • document_9446.pif
  • application.pif
  • wicked_scr.scr
  • movie0045.pif

Message Body:

  • See the attached file for details.
  • Please see the attached file for details.

Upon execution, this worm drops a copy of itself in the Windows folder as WINPPR32.EXE. It also drops a non-malicious text file, WINSTT32.DAT, in the Windows folder.

To ensure that it is automatically executed at every Windows startup, it adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
TrayX = "%Windows%\winppr32.exe /sinc"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
TrayX = "%Windows%\winppr32.exe /sinc"

The program then proceeds to scan files with certain extensions (htm, html, dbx, hlp, mht, txt, wab) on the compromised system for valid email addresses, and it uses an internal SMTP engine to email itself to those addresses.

The worm uses the Network Time Protocol (NTP) to determine the current time. The worm also includes code that attempts to contact a list of 20 predefined IP addresses on port 8998/UDP on Fridays and Sundays between 1900 and 2200 UTC (starting at 1900 UTC on August 22, 2003). Is it believed that a location from which additional code can be downloaded is sent over this channel. The list of IP addresses appears as follows:

. 12.158.102.205
. 12.232.104.221
. 218.147.164.29
. 24.197.143.132
. 24.202.91.43
. 24.206.75.137
. 24.210.182.156
. 24.33.66.38
. 61.38.187.59
. 63.250.82.87
. 65.177.240.194
. 65.92.186.145
. 65.92.80.218
. 65.93.81.59
. 65.95.193.138
. 66.131.207.81
. 67.73.21.6
. 67.9.241.67
. 68.38.159.161
. 68.50.208.96

The worm is believed to have a programmed "shut down" date of September 10, 2003 at which time it is expected to stop propagating. Anti-virus vendors have developed signatures for this worm.

Symptoms

. Presence of WINPPR32.EXE, WINSTT32.DAT files in %WinDir%
. Presence of the Registry keys detailed above
. Unexpected NTP traffic to remote servers

Removal Instructions

1. Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
WinNT/2K/XP - Terminate the process WINPPR32.EXE

2. Delete the following files from WINDOWS directory
WINPPR32.EXE
WINSTT32.DAT

3. Edit the registry
Delete the "TrayX" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run

HKEY_CURRENT_USERS\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run

4. Reboot the system

Solution

In addition to following the steps users may refer CERT-In Security Guideline on Anti-Virus Policy & Best Practices.

  • Always run and maintain an anti-virus product
    While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first-line of defense against malicious code attacks.
  • Do not run programs of unknown origin
    Never download, install, or run a program unless sender is known person or organization.
  • Filter network traffic
    Sites are encouraged to block network access to the following relevant ports at network borders.

o 123/UDP
o 995/UDP
o 996/UDP
o 997/UDP
o 998/UDP
o 999/UDP
o 8998/UDP

Sites should consider blocking both inbound and outbound traffic to these ports, depending on network requirements, at the host and network level.

Apply Patches

Appropriate patches should be applied for Microsoft Outlook/Express applications to block unnecessary attcahemants. Web-based e-mail users should install personal firewall to protect from this worm.

References

CERT-In Security Guideline CISG-2003-05
http://www.cert.org.in/knowledgebase/guidelines/cisg-2003-05.pdf

CERT/CC Incident Note IN-2003-03
http://www.cert.org/incident_notes/IN-2003-03.html

Microsoft Security Alert
http://www.microsoft.com/security/antivirus/sobig.asp Anti-Virus

Vendors site

  • McAfee
  • Trend Micro
  • Symantec
  • Computer Associates

Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003