Sobig.f Worm Starts To Bite Again

[Alpine]

VIRUS COMPANY iDefense said that the SoBig virus has started to proliferate again.
The virus installs a copy of itself in the Windows directory as a firm called winppr32.exe, and then the registry is changed so that the worm executes at startup.

The file size, said iDefense, varies in order to attempt to thwart anti-viral software, and typically comes as an attachment with email subject headings such as Re: Details, Re: Approved, Re: Re: My details, Re: That movie, Re: Thank you!, Re: Your application, Re: Wicked screensaver, Thank you!, Your details



Source:
http://www.theinquirer.net/?article=11115

[Thankbot]

2 Users already said Thank You!

dalebleh, NoFear,

[BlackMantis]

Yup.. i was just looking at this, it also drops WINSTT32.dat in the winnt folder. it's a configuration file along with the following registry keys to hook up the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
"TrayX" = C:\WINNT\WINPPR32.EXE /sinc

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
"TrayX" = C:\WINNT\WINPPR32.EXE /sinc
http://vil.nai.com/vil/content/v_100561.htm


the latest stinger that was posted today should have the remedy for it  you could get this from the link below.
http://vil.nai.com/vil/stinger/

[mikeh420]

Yep, just got one of those today. As usual, NAV caught it and "de-rezzed" it. (Apologies to Tron!) Amazing that people still open attachments from total strangers. How many times do you have to pound it into these idiots heads?

Ranting finished! Thank You.

[Bads]

I will take care 

Thanks for these precious informations 

[User Needs]

Just in case, here's the removal tool,
And I hope it's not needed.
or, http://securityresponse.symantec.com...r/FixSbigF.exe

[Alpine]

thx alot User