CAN20030820c
Sobig.F Worm Compromises Security

E-mail Worm Allows Hackers To Steal Information, Setup Spam Relay Servers

Dates & Revisions

• Original CAN date: August 20, 2003
• Latest revision: August 25, 2003

Systems Affected

Problem Overview

An e-mail worm is spreading across the Internet and infecting many Windows-based PCs with an attached file which users must open to activate.

The message appears as:

From: Spoofed address (the sender in the "From" field is most likely not the real sender). The worm may use the address admin@internet.com as the sender.

 

Subject (contains one of the following lines):
Re: Details

Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

 

Body (contains one of the following messages):
See the attached file for details
Please see the attached file for details.

 

Attachment (one of the following file names - be aware that the .pif or .scr extension may not display on your computer):
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

If you open the attachment, you will infect your computer. Once your system is infected, the worm will add entries to the system registry, then copy itself to any network shares to which it has write access. The worm will attempt to e-mail itself to most e-mail addresses which it finds on your system, causing possible system stability and consuming available Internet bandwidth. The worm also has the capability to download files to your computer and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers.

One of the most frustrating aspects of this worm is that you may be affected by it even though your computer is not infected by it. First, you may receive numerous e-mails from an infected system and (due to the nature of the spoofed sender address) not be able to determine the true sender. Secondly, YOUR e-mail address may be discovered on an infected computer and used as the spoofed sender address in e-mail addressed to other recipients whose e-mail addresses also discovered on that same infected computer. When this happens, recipients are likely to assume that you sent an infected message to them and undeliverable infected e-mails will be bounced back to your inbox.

Problem Details

For detailed technical descriptions of the problem, please review the following links:

• Symantec Security Response Overview of W32.Sobig.F@mm Worm

Please note that the organizations controlling the content of the web sites referenced by these links may periodically update the information on their sites as new details about the severity of the threat become known.

What Should I Do?

You should immediately:

• review the bulletins listed above, and
• delete any such e-mail which you receive, and
• remove any unnecessary network shares from your computer, and
• update your anti-virus software with the latest available signature files.

What If I Am Unable To Fix The Problem?

If you are unable to correct these problems yourself or are unsure how to proceed, contact Logical Operators by clicking here and arrange to have one of our service technicians check your system and apply the corrections for you (standard service fees will apply). In addition to correcting the problem(s) listed in this CAN, our technicians can also test your system for thousands of other known threats which may be present on your system, make valuable recommendations on securing your system from future threats, and perform numerous other computing services.