W32/Sobig.F-mm is Still a Big Threat:
"On the virus and worm front, not much has changed in the lineup of top threats. W32/Swen.A-mm, W32/Dumaru.A-mm and several Mimail variations are still infecting hundreds worldwide every day. Also on the top list is W32/Sobig.F-mm, a tenacious multi-vector worm that has been around since August. Sobig.F, like Swen.A, spoofed the 'from' address field of e-mail it sent out, to make it look like someone else was sending the infected messages. The worm was very prolific by itself, but it ended up generating more incidental Internet traffic because automated IT antivirus systems were sending virus notifications back to the senders. Unfortunately, many of the apparent senders had nothing to do with the original e-mail message. In the days of slower moving viruses, the notifications were helpful, but with fast moving worms, it had to be scrapped. In a recent newsletter, ThreatFocus estimated that 'Spam from PC's hijacked by the Sobig virus now accounts for more than half of all email sent across the Internet.' "

First discovered in August 2003, mass mailing worm W32/Sobig.F-mm caused a lot of grief in a short amount of time, and is still in the top 10 viruses plaguing users. W32/Sobig.F-mm was supposed to terminate its propagation on September 10th, 2003, and was downgraded in threat level by several antivirus companies. Though "deactivated", it is still listed as one of the top infectors, and it is attributed to spreading spam across the Internet. After the deactivation date, it can still be used to propagate spam and update itself, making it important to remove the infection.

One of the fastest moving viruses, Sobig.F usually spreads as an e-mail attachment (usually a PIF or SCR file), though it also attempts to spread through network shares, leaving open the possibility of re-infection even if the original infected machines have been cleaned. For a user to catch Sobig.F, they must run or view the e-mail attachment. Once running, Sobig.F will send copies of itself out using its own SMTP engine to addresses harvested from text, database, html and e-mail files on the victim's machine. The virus also uses the harvested addresses to spoof the "From" field to disguise the origin of the e-mail. This feature caused major headaches, as many innocent users were being blamed for sending out infected traffic, and the bounced back e-mail in itself clogged the Internet.

Once running, the virus will attempt get the current date and time through one of several Network Timer Protocol (NTP) servers. If the time is between 19:00 and 22:00 UTC (Universal Time Code) or 8pm – 11pm UK time, on a Friday or Sunday, it sends a UDP packet to a remote server on port 8998. It is suspected that it is being used to download an update file, which is a behavior shown by earlier versions of Sobig. Blocking outgoing UDP connections on port 8998 with a firewall is recommended as a workaround for this feature.

When a user runs an infected attachment, Sobig creates a copy of itself called winppr32.exe in the Windows folder (C:\Windows or C:\Winnt). It then adds the value "TrayX"="%Windir%\winppr32.exe /sinc" to the following registry keys, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . This means that the virus will run when the machine is booted. Sobig also creates a file called winstt32.dat in the Windows folder (%windir% is the Windows folder as noted above), which is used to store e-mail addresses gathered from the victim's machine.

The virus will also look for any accessible network shares for which the PC has write access. Symantec reports though that due to a bug in the code, Sobig cannot copy over network shares. Sobig.F can download arbitrary files from server addresses stored in the virus, and execute them. Also according to the Symantec, "The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers". This is in line with ThreatFocus's estimate that over 50% of the spam on the web comes from Sobig infected zombie computers. It is suspected that Sobig.F attempts to contact a master server that its author controls and downloads a URL where it goes to download a Trojan to run on the local PC.…

Full article (printable version) at http://www.pcmag.com/print_article/0,3048,a=114580,00.asp

http://www.pcmag.com/article2/0,4149,1414899,00.asp