|
|
|
|
Here we go again…
Yet another member of the SoBig virus family is loose.
SoBig.F (w32.sobig.f@mm) spreads via e-mail and shared network files. The latest
variant of the SoBig worm is hammering corporate networks, crashing email
servers, staggering Internet traffic and accounted for 70 percent of all email
on August 20th, according to security analysts.
This
worm affects only Windows computers, not Macintosh, Linux, or Unix systems. Like
its siblings, SoBig.F has a built-in termination date, September 10, 2003, and
can attempt to retrieve, download, and finally execute a Trojan to steal credit
card numbers and other personal account information. But SoBig.F differs in that
it appends garbage characters to the end of the infected file, making it harder
for antivirus products to recognize SoBig.F.
Security
experts also say SoBig-F is hitting the Internet so hard because it is building
on the impact of its SoBig predecessors.
Earlier
variants of SoBig have infected computers and then downloaded Trojans to set the
machines up to be hidden proxy servers. The result is that the author has a huge
army now for the next seeding. Every SoBig variant becomes bigger and bigger,
basically because of this “army” of infected machines.
SoBig.F
is designed to die out on September 10th. That's leading many analysts to
suspect that the next variant will hit on September 11th or soon after. And if
that variant builds on the malicious success of SoBig.F, then the damage could
be even worse.
SoBig.F
has quickly become the most widespread virus in the history of email worms and
it's spreading very rapidly. There were more than 1 million interceptions of the
worm in the 24 hour period encompassing August 20th. By contrast, the average
significant worm will get 10,000 to 50,000 interceptions in a day.
How
it Works
SoBig.F arrives as an e-mail with the following characteristics:
The
From and To addresses are collected from infected PCs and extracted from files
ending with the extensions .dbx, .eml, .htm, .html, .txt, and .wab. If you are
getting e-mails from ISPs stating that an e-mail you sent was erased as
infected, it didn’t likely come from your machine, but your address was placed
in the “From” field from an infected computer’s address book or other
file.
The
SoBig.F subject line reads:
-
Re: Details
-
Re: Approved
-
Re: Re: My details
-
Re: Thank you!
-
Re: That movie
-
Re: Wicked screensaver
-
Re: Your application
-
Thank you!
-
Your details
Its
body text reads:
The
file attached to SoBig.F is:
The
most important single thing you can do is NOT open the attachment.
Especially if it comes from someone you do not know. The only way to launch this
worm is to open the attachment. If you launch the worm, your computer is
infected and bad things happen.
When
executed, the worm will add the following to the system registry:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
A
Hidden Trojan?
A
Central Command Press Release,
which appears to be the first to disclose the hidden encrypted code planted by
SoBig.F, gives an activation date of September 10-11 for a Trojan planted by
SoBig.F to do something-except nobody knows just what.
SoBigF
appears to have infected nearly 100 million systems in just over four days and,
when the Trojan activates, it will launch itself from 20 ordinary systems-many
of them home computers on cable modems-located in the U.S., Canada, and Korea.
For now, it isn't known whether the Trojan will try to co-opt other systems
already compromised by SoBig.F or will launch some entirely different sort of
attack.
Although the eventual attack may not be of a serious nature, this is a highly
sophisticated attack, even using atomic clocks to synchronize the activation of
the Trojan, and chances are good that this is a potentially serious event. At
worst, it could involve some form of cyberterrorism.
Prevention
The most important thing you can do is not open e-mail attachments without
first saving them to hard disk and scanning them with updated
antivirus software. If you do not have automatic antivirus signature file
updates, contact your antivirus vendor to obtain the most-current antivirus
signature files that include SoBig.F. It is critical that you keep updated
anti-virus files on your computer. Visit your vendor’s site (see below).
The
best way to determine if you are infected is to scan your system(s) with one of
the many antivirus programs (updated with the latest virus signatures). Network
Associates reports that SoBig.F uses the filename winppr32.exe, and copies
itself to the Windows folder, making one of the registry entries shown above in
the process. Because SoBig.F has its own SMTP engine, collects e-mail addresses
from various files on an infected computer, and then forges the sender's e-mail,
it is very difficult to determine who is infected based on an infected message.
Removal
Most antivirus-software companies have updated their signature files to include
this worm. The updates will stop the infection upon contact and, in some cases,
will remove an active infection from your system. For more information, Central
Command, Computer
Associates, F-Secure,
McAfee,
MessageLabs,
Norman,
Panda,
Sophos,
Symantec,
and Trend Micro.
Although
removing SoBig.F from an infected system (unless it is one of the 20 selected
targets) may not have any effect on slowing this attack, you should still be
diligent in getting it cleaned up-if only because other Trojan variants may be
programmed to do other things on a local system.
At the very least, block UDP port 8998 on your firewalls and your systems. That
should mitigate damages somewhat by blocking the worm from downloading any
further malicious code.
Final
Word
The
worst of SoBig.F may not be over yet. Because of the unpredictable dangers
inherent with the hidden Trojan that appears to be included with SoBig.F, every
administrator should move quickly to mitigate the damage that could be caused by
this worm by following the recommendations mentioned above for removing SoBig.F
and blocking its communications ability.
Basic
Glossary:
Trojan:
a malicious program that pretends to be a benign
application; a Trojan program purposefully does something the user does not
expect. Trojans are not viruses since they do not replicate, but Trojan horse
programs can be just as destructive.
Many
people use the term to refer only to non-replicating malicious programs, thus
making a distinction between Trojans and viruses. Also: Trojan horse
Virus:
are computer program files capable of attaching
to disks or other files and replicating itself repeatedly, typically without
user knowledge or permission. Some viruses attach to files so when the infected
file executes, the virus also executes. Other viruses sit in a computer's memory
and infect files as the computer opens, modifies or creates the files. Some
viruses display symptoms, and some viruses damage files and computer systems,
but neither symptoms nor damage is essential in the definition of a virus; a
non-damaging virus is still a virus.
There
are computer viruses written for several operating systems including DOS,
Windows, Amiga, Macintosh, Atari, and UNIX, and others. There are currently
presently more than 57,000 viruses, Trojans, and other malicious software.
Worms:
are parasitic computer programs that replicate, but unlike viruses, do not
infect other computer program files. Worms can create copies on the same
computer, or can send the copies to other computers via a network. Worms often
spread via IRC (Internet Relay Chat).
David
Tschanz is a medical/military historian currently based in Saudi Arabia.
He is also an epidemiologist, web developer, editor and demographer. David is a
Microsoft certified systems engineer and also writes computer-related articles.
You may contact him by sending your emails to: Desertwriter1121@yahoo.com
|
