The following has been derived from information provided by Symantec, F-Secure, and Network Associates.

Due to an increase in prevalence and media attention, we are raising the threat level from a V-CON 2 to a V-CON 3.


Virus Characteristics

W32/Sobig.f@MM uses its own SMTP engine to e-mail itself to all the addresses it finds in the following file types:

.txt
.eml
.html
.htm
.dbx
.wab
.hlp
.mht

The worm appends garbage data to the end of the file, which may vary the file size and checksum.

The worm has been set to deactivate on September 10, 2003. After this date, the worm will exit immediately when executed.

The sender of the message may be spoofed using an address harvested from the infected machine.

The subject line used in infected messages may be one of the following:

Re: Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Thank you!
Your details

The attachment name may be one of the following:

application.zip (contains application.pif)
details.zip (contains details.pif)
document_9446.zip (contains document_9446.pif)
document_all.zip (contains document_all.pif)
movie0045.zip (contains movie0045.pif)
thank_you.zip (contains thank_you.pif)
your_details.zip (contains your_details.pif)
your_document.zip (contains your_document.pif)
wicked_scr.zip (contains wicked_scr.scr)
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif


Payload

W32/Sobig.f@MM drops a copy of itself with the filename WINPPR32.EXE into the default WINDOWS directory and a text file named WINSTT32.DAT to the same directory.

The following registry keys are added to hook Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"TrayX" = "%WINDIR%\WINPPR32.EXE /sinc"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"TrayX" = "%WINDIR%\WINPPR32.EXE /sinc"

This worm has the ability to download arbitrary files from the Internet and execute them. The purpose of this behaviour may be to download an updated version of itself or a Trojan component.

This download attempt occurs if the following conditions are met:

According to UTC time, the day of the week is Monday or Friday.
According to UTC time, the time is between 7:00 PM. and 11:59:59 PM.

The worm determines the current UTC time using the NTP protocol. It contacts one of several servers on UDP port 123 (NTP) once every hour.

If the time conditions are met, the worm initiates the download by sending a probe to UDP port 8998 on the master server. The master server then replies with a URL that the worm can use to download the file that is to be executed.

The worm opens the following ports:

995/UDP
996/UDP
997/UDP
998/UDP
999/UDP

It listens for any incoming UDP datagrams on these ports in order to receive an updated list of master servers.

This is also a network aware worm. It will attempt to create copies of itself on all remote shares that it has access to.


Preventative Measures

Ensure that deployed anti-virus products are configured to scan within compressed files. At the firewall, block the following traffic:

- Inbound UDP ports 995 to 999
- Outbound UDP port 8998

Block files with the .PIF extension at the message gateway where possible.


Fixes Available

Network Associates:
Minimum DAT: 4287
Release Date: 08/20/2003
Minimum Engine: 4.1.60

Symantec:
Virus Definitions (Intelligent Updater): August 19, 2003
Virus Definitions (LiveUpdate): August 19, 2003

Trend:
Pattern File: 617
Minimum Scan Engine: 6.100