What is SoBig.E Worm and How Did I Get It?

The SoBig worm spreads through email attachments and shared network folders. It sends copies of itself via is own SMTP engine and obtains the recipient addresses from information found in files with the following extensions:

• .wab
• .dbx
• .htm
• .html
• .eml
• .txt

The details of the email are

Sender: support@yahoo.com
<username@domain.com>
<obtained email address>

When constructing the email, the worm spoofs the From field using support@yahoo.com or an email address that it has obtained from the system, or the user name and the domain of the currently logged on user.

The subject can be:

• referer.pif
• 004448554.pif
• re.document.pif
• new_document.pif
• submited.pif
• Screensaver.scr
• movie.pif
• Applications.pif
• Application.pif
• Your application
• Re: Re: Document
• Re: Re: Application ref. 003644
• Re: Documents
• Re: Screensaver
• Re: Submited (Ref: 003746)
• Re: Movies
• Re: Movie
• Re: Application
  

What makes this virus unique is the fact the attachment is a zip file which is normal not a problem unless it is unzipped. However Windows XP machines have unzipping built into them when you double-click on the attachment. The attachment is one of the following

• Movie.zip (Movie.pif)
• screensaver.zip (sky_world.scr)
• document.zip (document.pif)
• application.zip (application.pif)
• Your_details.zip(details.pif)

The worm also attempts to copy itself to the following folders on all the open network shares:

• \Windows\All Users\Start Menu\Programs\StartUp
• Documents and Settings\All Users\Start Menu\Programs\Startup

The worm stops spreading via network shares on July 14, 2003.

How to Remove SoBig.E Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Sobig.F during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the SoBig.E worm.

1) Terminate the running program

• Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
• Locate the following program, click on it and End Task or End Process

       SFtrb Service or winssk32.exe

• Close Task Manager

2) Remove the Registry entries

• Click on Start, Run, Regedit
• In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

• In the right panel, right-click and delete the following entry

SSK Service

Repeat this procedure for the following location

HKEY_CURRENT_USER>Software>Microsoft>Windows>Current Version>Run

• Close the Registry Editor

3) Delete the infected files

• Click Start, point to Find or Search, and then click Files or Folders.
• Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
• In the "Named" or "Search for..." box, type, or copy and paste, the file names:
  msrrf.dat
  winssk32.exe
• Click Find Now or Search Now.
• Delete the displayed files.

4) Reboot the computer and run a thorough virus scan using your favorite antivirus program. If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Worms - 'S':