Fast-spreading SoBig.F may harbor a dangerous Trojan
Takeaway: The worst part of SoBig.F may not be that it is spreading quickly and bogging down networks. Several antivirus companies have discovered that this worm carries a dangerous hidden Trojan. See what you need to do to mitigate damage from SoBig.F.
The SoBig.F worm has continued to pound organizations, ISPs, and individual users to the point that numerous parties in IT are now calling it the fastest-spreading virus ever. Now it also appears that the virus and its variants may be carrying a dangerous hidden Trojan.
The Trojan
According to antivirus companies Sophos and F-Secure, on Friday, Aug. 22, 2003, beginning precisely at 19:00:00 UTC (3:00 P.M. Eastern Daylight Time), a Trojan planted by SoBig.F is scheduled to activate and do something—except nobody knows just what.
A Central Command Press Release, which appears to be the first to disclose the hidden encrypted code planted by SoBig.F, gives the same time, but sets the activation date as September 10-11. Of course, that doesn't necessarily mean that Central Command is incorrect; there may be multiple variants of the Trojan.
F-Secure reports its analysis of the code provides some server addresses that don't lead to anything right now, and speculates that the server addresses will be forwarded to some other address just seconds before the Trojan activates in order to prevent antivirus analysts from reading the program and working out countermeasures in advance.
F-Secure is also providing some additional details, such as the fact that SoBigF appears to have infected nearly 100 million systems in just over four days and, when the Trojan activates, it will launch itself from 20 ordinary systems—many of them home computers on cable modems—located in the U.S., Canada, and Korea. For now, it isn't known whether the Trojan will try to co-opt other systems already compromised by SoBig.F or will launch some entirely different sort of attack.
Although the eventual attack may not be of a serious nature, this is a highly sophisticated attack, even using atomic clocks to synchronize the activation of the Trojan, and chances are good that this is a potentially serious event. At worst, it could involve some form of cyberterrorism. Attempts to reach the FBI cybersecurity division were unsuccessful.
Cleaning up SoBig.F
Although removing SoBig.F from an infected system (unless it is one of the 20 selected targets) may not have any effect on slowing this attack, you should still be diligent in getting it cleaned up—if only because other Trojan variants may be programmed to do other things on a local system.
At the very least, block UDP port 8998 on your firewalls and your systems. That should mitigate damages somewhat by blocking the worm from downloading any further malicious code.
The best way to determine if you are infected is to scan your system(s) with one of the many antivirus programs (updated with the latest virus signatures), such as the one from Sophos. Also, Sophos reports that SoBig.F uses the filename winppr32.exe, and that it copies itself to the Windows folder, making one of the registry entries shown here in the process. Because SoBig.F has its own SMTP engine, collects e-mail addresses from various files on an infected computer, and then forges the sender's e-mail, it is very difficult to determine who is infected based on an infected message.
There are a few manual removal options. Trend Micro provides manual removal instructions for SoBig.F and McAfee also has a page with manual removal instructions. All manual removal requires some complex steps, including Registry editing, which should only be attempted by IT professionals and not end users. Also note that Symantec is offering a free downloadable removal tool.
Final word
The worst of SoBig.F may not be over yet. Because of the unpredictable dangers inherent with the hidden Trojan that appears to be included with SoBig.F, every administrator should move quickly to mitigate the damage that could be caused by this worm by following the recommendations mentioned above for removing SoBig.F and blocking its communications ability.
Print/View all Posts Comments on this article
dodged a bullet
Tech Locksmith | 08/22/03
|
The real problem
Tech Locksmith | 08/22/03
|
|
null
Radio-Active | 08/28/03
|
Responsible
Tech Locksmith | 08/28/03
|
|
Why not just reformat
guntrader13@... | 09/01/03
|
|
: Fast-spreading SoBig.F may harbor a dangerous Trojan
emmakombo2000@... | 09/09/03
|
|
interesting topic
robert.jean.mcleod@... | 09/15/03
|
|
Put the Blame Where it Belongs
Azizcohos | 08/25/03
|
|
Agreed...but it is not entirely Microsoft
gettingthru | 08/25/03
|
|
Laying blame where blame really belongs
mollison@... | 09/16/03
|
|
Don't be so quick to point your finger
tpoland | 08/25/03
|
|
Total agreement
Elama | 08/26/03
|
|
This is partially true
mollison@... | 09/16/03
|
|
Not exactly.
levinson_k@... | 08/25/03
|
|
some updates don't make sense
Rick_from_BC | 08/25/03
|
|
MS says older versions are more secure
tweedle | 08/25/03
|
|
Not exactly...
Jeffykins | 08/27/03
|
|
null
erickerin@... | 08/28/03
|
|
Get Serious
I-Solve | 08/25/03
|
|
Re: Get Serious
dgood | 08/25/03
|
Not locking your windows huh?
mollison@... | 09/16/03
|
|
Blame belongs in the eye of the infected!
johns@... | 08/25/03
|
|
Hack their hand off or get them a date
GNX | 08/25/03
|
|
Pretty much agree
klatoo | 08/25/03
|
|
Here Here!!
Too Old For IT | 08/25/03
|
|
AMEN
works4me@... | 08/25/03
|
|
War on Hackers
John G. Snyder | 08/26/03
|
|
What about users' responsibilities?
budman1021 | 08/25/03
|
|
Blaming MS is a knee-jerk reaction here
slone | 08/25/03
|
|
Mostly Agree
tnolte | 08/25/03
|
|
Easily done
iamgap | 08/25/03
|
|
And the "clickers"
TriDom | 08/25/03
|
|
Hearty amen!
Elama | 08/26/03
|
|
Partially agree
mollison@... | 09/16/03
|
|
I've heard this before
MaxPower1111 | 08/25/03
|
|
Nonsense
JPDworkin1@... | 08/25/03
|
|
Users ARE responsible!
the docman | 08/25/03
|
|
Security by default not as a feature
hackersdontgetpaid | 08/25/03
|
|
Automatic Updates?
Michel Pizaz | 09/24/03
|
|
Bashing will stop when...
montrose438@... | 08/26/03
|
|
So typical
ben@... | 08/25/03
|
|
You are right about Linux
mollison@... | 09/16/03
|
|
Get real
Silverknife | 08/25/03
|
|
Billy Pooh Poohs Security
paul.tiffany@... | 08/25/03
|
|
Blame those responsible
odoibh_m@... | 08/26/03
|
|
!
mveira@... | 08/26/03
|
|
Pretty Childish
Elama | 08/26/03
|
|
Other Side of the Coin
BeeKayGee | 08/26/03
|
|
Excuse Me...really
webmaster@... | 08/25/03
|
|
Some are true Worms
ralbritton@... | 08/25/03
|
|
There was a hole somewhere
the docman | 08/25/03
|
|
Can't Send a Virus Without an Attachment?
lorettag | 08/25/03
|
|
Now I understand: It is all MY fault!
tweedle | 08/25/03
|
|
Geez get Linux
CampbellR | 08/28/03
|
|
If you get Linux
Tech Locksmith | 08/28/03
|
|
Pointing the finger
Longbeer | 08/25/03
|
|
It's easy to pass the buck
ghost_who_walks | 08/25/03
|
|
9 year olds and even me
simonhw | 08/26/03
|
|
Wow simonhw
Another Canadian | 09/15/03
|
SponsoredWhite Papers, Webcasts, and Downloads
- Oracle Web 2.0 Resource Library Oracle
- Social Networking: Brave New World or Revolution from Hell? A look at the phenomenon of Social Networking and the implications for Businesses MessageLabs
- Network Security Checklist Cisco Systems
- IBM Power Systems offer a smart alternative to Windows servers IBM
- Spyware: Know Your Enemy MessageLabs
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
