Following files in the %WINDIR% folder
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus. Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender Antisobig-en.exe
tool does the following:
it detects all the known Sobig versions;
it deletes the files infected with Sobig;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.
If you are running Windows 95/98/Me you will have to apply the following patch
provided by Microsoft to stop the virus from using the Share Level Password
Sorin Dudea BitDefender Virus Researcher
It arrives in e-mail in the following format:
Subject: Randomly chosen from the following list:
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Re: My details
Re: Thank you!
Please see the attached file for details.
See the attached file for details
Attachment: Randomly chosen from the following list:
After the user opens the attachment the worm copies in the following location:
and adds the following registry keys:
It searches for e-mails in the following file types:
The worm includes a thread that every one hour reads the time by connecting three times to public NTP (Network Time Protocol) servers from a hardcoded list; if the day of the week is Friday or Sunday and the hour is between 19:00 and 22:59, the worm tries to connect to several hardcoded hosts on UDP port 8998 in order to receive the location of a file to download and execute. The IP's of these hosts are:
22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199 .
Then it waits for the answer, it connects to the decoded answer and downloads a file – using the instruction UrlDownloadToCacheFileA. The virus executes the downloaded file directly using a CreateProcess instruction.
The worm also spreads trough network shares.
It stops spreading after 10.09.2003.