The SoBig
worm spreads through email attachments and shared network folders. It
sends copies of itself via is own SMTP engine and obtains the recipient
addresses from information found in files with the following extensions:
|
The details of the email are
Sender: support@yahoo.com
<username@domain.com>
<obtained email address>
When constructing the email, the worm spoofs the From field using support@yahoo.com or an email address that it has obtained from the system, or the user name and the domain of the currently logged on user.
The subject can be:
- referer.pif
- 004448554.pif
- re.document.pif
- new_document.pif
- submited.pif
- Screensaver.scr
- movie.pif
- Applications.pif
- Application.pif
- Your application
- Re: Re: Document
- Re: Re: Application ref. 003644
- Re: Documents
- Re: Screensaver
- Re: Submited (Ref: 003746)
- Re: Movies
- Re: Movie
- Re:
Application
The message
body contains: Please see the
attached zip file for details
What makes this virus unique is the fact the attachment is a zip file which is normal not a problem unless it is unzipped. However Windows XP machines have unzipping built into them when you double-click on the attachment. The attachment is one of the following
- Movie.zip (Movie.pif)
- screensaver.zip (sky_world.scr)
- document.zip (document.pif)
- application.zip (application.pif)
- Your_details.zip(details.pif)
The worm also attempts to copy itself to the following folders on all the open network shares:
- \Windows\All Users\Start Menu\Programs\StartUp
- Documents and Settings\All Users\Start Menu\Programs\Startup
The worm stops spreading via network shares on July 14, 2003.
How to Clean/Delete the SoBig.E worm?
Follow these steps in removing the SoBig.E worm.
1) Terminate the running program
- Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
- Locate the following program, click on it and End Task or End Process
SFtrb Service or winssk32.exe
- Close Task Manager
2) Remove the Registry entries
- Click on Start, Run, Regedit
- In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
- In the right panel, right-click and delete the following entry
SSK Service
Repeat this procedure for the following location
HKEY_CURRENT_USER>Software>Microsoft>Windows>Current Version>Run
- Close the Registry Editor
3) Delete the infected files
- Click Start, point to Find or Search, and then click Files or Folders.
- Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
- In the
"Named" or "Search for..." box, type, or copy and paste, the file names:
msrrf.dat
winssk32.exe - Click Find Now or Search Now.
- Delete the displayed files.
4) Reboot the computer and run a thorough virus scan using your favorite antivirus program.
for Automatic Removal of the SoBig.E worm, click on the following link
Symantec SoBig.E Automatic Removal Program
Removal of Other SoBig worm viruses
SoBig.A
SoBig.B
SoBig.C
SoBig.D
SoBig.E
SoBig.F
| Search PCHell.com |
|
| site search by freefind | advanced |
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall Antivir Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
Backdoor SDBot.H Trojan Removal
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.
