What is SoBig.F Worm and How Did I Get It?

The SoBig.F worm spreads through email attachments and shared network folders. It sends copies of itself via is own SMTP engine and obtains the recipient addresses from information found in files with the following extensions:

• .dbx
• .eml
• .hlp
• .htm
• .html
• .mht
• .wab
• .txt

The details of the email are

Subject: <any of the following:>
Re: Thank you!
Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie

When constructing the email, the worm spoofs the From field using an email address that it has obtained from the system or it uses admin@internet.com as the From address.

The message body contains:

• See the attached file for details
• Please see the attached file for details.

The attachment is one of the following

• your_document.pif
• document_all.pif
• thank_you.pif
• your_details.pif
• details.pif
• document_9446.pif
• application.pif
• wicked_scr.scr
• movie0045.pif

The worm stops spreading via network shares on September 10, 2003.

How to Remove SoBig.F Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Sobig.F during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the SoBig.F worm.

1) Disconnect from the Internet or any network you are connected to, you may also want to disable System Restore on Windows XP or Windows ME before continuing

2) Terminate the running program

• Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
• Locate the following program, click on it and End Task or End Process

       Winppr32.exe

• Close Task Manager

2) Remove the Registry entries

• Click on Start, Run, Regedit
• In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

• In the right panel, right-click and delete the following entry

TrayX which shows the line

"TrayX"="%Windir%\winppr32.exe /sinc"

Repeat this procedure for the following Registry key as well

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

• Close the Registry Editor

3) Delete the infected files

• Click Start, point to Find or Search, and then click Files or Folders.
• Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
• In the "Named" or "Search for..." box, type, or copy and paste, the file names:
  Winstt32.dat
  winppr32.exe
• Click Find Now or Search Now.
• Delete the displayed files.

4) Reboot the computer and run a thorough virus scan using your favorite antivirus program. If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Worms - 'S':