Some sort of Virus going around?

[Uncle Grump]

Hi all

Lately I am getting a ton of emails which
have a 1 liner message which says "see the
attached file for details", and has an attachment which is 1K in size.

The subject line varys - its been:

Re: Wicked screen saver
Re: Your Application
Re: Details
Re: That movie
Your Details
and other stuff as well....

The real intersting part is that one of the
latest ones to come in was supposedly from
Rick here at FM!

I been deleting these critters. Any one else been getting them or know more details?

UG

[danny berg]

WORM_SOBIG.F

Overview Technical Details Statistics





QUICK LINKS Solution

--------------------------------------------------------------------------------

Virus type: Worm

Destructive: No

Aliases: Win32.HLLM.Reteras, W32.Sobig.F@mm, W32/Sobig.f@MM, Sobig.F, Win32.Sobig.F, W32/Sobig-F, I-Worm.Sobig.f

Pattern file needed: 617

Scan engine needed: 6.100

Overall risk rating: Medium

--------------------------------------------------------------------------------

Reported infections: Medium

Damage Potential: High

Distribution Potential: High

--------------------------------------------------------------------------------

Description:

TrendLabs has received several infection reports of this mass-mailing worm from Norway and Spain. As of 12:19 PM GMT, Trend Micro has declared a Medium Risk alert to control the spread of this malware.

This worm propagates by mass-mailing copies of itself using its own Simple Mail Transfer Protocol (SMTP) engine. It collects email addresses from files with the following extensions:

DBX
HLP
MHT
WAB
HTML
HTM
TXT
EML
It sends out email messages with the following details:

Subject: <any of the following:>
Re: Thank you!
Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie

Message body: <any of the following:>
See the attached file for details.
Please see the attached file for details.

Attachment: <any of the following:>
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

It may spoof the FROM field using email addresses found on the infected machine so that its email messages appear to originate from one source but was actually sent from another.

This worm deactivates its propagation routine on September 10, 2003.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use the Trend Micro System Cleaner.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

To remove this malware, first identify the malware program.

Scan your system with your Trend Micro antivirus product.
NOTE all files detected as WORM_SOBIG.F.
Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro’s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

To remove the malware autostart entries:

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
TrayX = "%Windows%\winppr32.exe /sinc"
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
TrayX = "%Windows%\winppr32.exe /sinc"
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Deleting Dropped File

Right-click Start then click Search… or Find… depending on your version of Windows.
In the Named input box, type:
WINSTT32.DAT
In the Look In drop-down list, select the drive which contains Windows, then press Enter.
Once located, select the file then hit Delete.
Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_SOBIG.F. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

For product specific solutions, please refer to Solution 16031 of Trend Micro's Knowledge Base.

Trend Micro offers best-of-breed antivirus and content-security solutions for your

[This message has been edited by danny berg (edited 09-10-2003).]