- Sobig.F Update
- Sobig.F Upgrade Prevention
W32/Sobig.F@mm Mass Internet Activity Narrowly Averted
The anticipated simultaneous mass upgrade of the record breaking W32/Sobig.F@mm worm was narrowly prevented on Friday 22 August thanks to the coordinated efforts of anti-virus software companies, law enforcement agencies, various ISP's and CERT organisations.
All copies of the worm were programmed to attempt a download of additional components from unknown URL's between 19:00 and 22:00 GMT on Friday, 22 August. These URL's were to be received when infected machines simultaneously contacted twenty IP addresses embedded in the worms code. These IP addresses correspond to master hosts located in the U.S., Canada and South Korea.
However, 19 of these 20 master hosts had been taken off-line by 19:00 GMT. The remaining host quickly became unreachable when when tens of thousands of infected computers around the globe attempted to send traffic to it.
Sobig.F is programmed to repeat this attempt every Friday and Sunday until 10 September though it is deemed unlikely that later attempts will be successful.
How To Prevent Sobig.F From Downloading Updates
We recommend blocking out-going traffic to port 8998/udp on the IP addresses in the list below to prevent Sobig.F from updating itself.
W32/Sobig.F@mm, which has broken all distribution records in recent days, will attempt to upgrade itself at 19:00 GMT on Friday, 22 August 2003.
Sobig.F contains built-in code that enables it to communicate with atomic clocks on the Internet, thus allowing all copies to synchronise their actions and without relying on the internal clocks of the computers they infect. The Network Time Protocol servers it contacts do not contain any malicious code.
System administrator are advised to monitor port 123/ntp for abnormally heavy NTP traffic as an indication of the Sobig.F worm attempting to update itself.
At 19:00 GMT on Friday, 22 August, all copies of the worm will be attempt to download additional components.
The worm has a pre-defined list of master hosts, which it will try to contact on port 8998/udp expecting to receive an URL. These master hosts are all located in the U.S., Canada and South Korea and are machines connected to the Internet through xDSL or cable modem connections.
The IP addresses that Sobig.F will try to contact at 19:00 GMT are the following:
126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
We strongly suggest that System Administrators block out-going traffic to port 8998/udp, at least for the IP addresses listed above, before 19:00 GMT to prevent Sobig.F from contacting these servers.
A new variant of the Sobig worm, W32/Sobig.F@mm, has started spreading in the wild. It has gained massive distribution this morning and seems to be spreading faster by the hour.
Users are urged to update their virus signature files for F-Prot Antivirus. W32/Sobig.F@mm is detected by virus signature files dated 19 August or later.
After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.
W32/Sobig.F@mm was discovered on 19 August 2003. Like other members of the Sobig family this new variant infects via e-mail and network shares. The worm sends itself as an attachment to e-mail addresses found on the infected computer as well as trying to copy itself to Windows network shares. After installing itself the worm starts along with Windows.
Like previous Sobig variants, Sobig.F has a limited lifespan and will stop spreading on 10 September 2003. After this date the worm will exit immediately when executed.
For more information on W32/Sobig.F@mm please see the technical description.
The latest version of F-Prot Antivirus detect W32/Sobig.F@mm using virus signature files dated 19 August or later.