BEAVERTON, Ore., -- Network Associates, Inc. (NYSE: NET) the leading provider of intrusion prevention solutions, today announced that McAfee(R) AVERT(TM) (Anti-Virus Emergency Response Team), the world-class anti-virus research division of Network Associates(R), assigned a high risk assessment for consumers to the newly discovered Sobig.f worm, also known as
W32/Sobig.f@MM. The risk assessment remains at medium for enterprise users. Sobig.f is a destructive worm that propagates via email and over network shares and was reported to AVERT at many locations throughout the world by Network Associates customers.
SYMPTOMS
Sobig.f is an Internet worm that once activated, emails itself to addresses it harvests off the infected user's machine. Users should immediately delete any email containing the following:
Subject:
-- Your details
-- Thank you!
-- Re: Thank you!
-- Re: Details
-- Re: Re: My details
-- Re: Approved
-- Re: Your application
-- Re: Wicked screensaver
-- Re: That movie
Body of email:
-- See the attached file for details
-- Please see the attached file for details
Attachment:
-- your_document.pif
-- document_all.pif
-- thank_you.pif
-- your_details.pif
-- details.pif
-- document_9446.pif
-- application.pif
-- wicked_scr.scr
-- movie0045.pif
PATHOLOGY
After being executed, Sobig.f emails itself out as an attachment to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. The worm copies itself onto the infected system as C:\WINNT\WINPPR32.EXE.
A configuration file is also dropped to %Windir%: C:\WINNT\WINSTT32.DAT. In common with other previous W32/Sobig variants, Sobig.f contains a date triggered self-termination routine. If the date is September 10, 2003 or later, the worm will no longer propagate.
CURE
Immediate information and cures for this virus can be found online at the Network Associates AVERT site located at http://vil.nai.com/vil/content/v_100561.htm .
AVERT recommends that users of McAfee Security anti-virus solutions update their anti-virus software at http://vil.nai.com/vil/content/v_100561.htm and use the 4287 DAT files and 4.1.60 or later scanning engine to detect, identify and remove the threat as W32/Sobig.f@MM.
McAfee Anti-Virus
All McAfee anti-virus solutions, including McAfee(TM) VirusScan(R) and McAfee(TM) Internet Security for consumers, had updated DAT files released within hours of Sobig.f's discovery to protect against Sobig.f. By scanning files as they are saved to disk, McAfee anti-virus solutions can detect and eradicate this worm.
AVERT Labs is one of the top-ranked anti-virus research organizations in the world, employing more than 90 researchers in offices on five continents. AVERT protects customers by providing cures that are developed through the combined efforts of AVERT researchers and AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.
McAfee Security Consumer is a division of Network Associates, Inc., that delivers world-class retail and online solutions designed to secure, protect and optimize the computers of consumers and home office users.
McAfee's advanced retail desktop solutions include premier anti-virus, security, encryption, and desktop optimization software. McAfee's managed Web security services employ a patented system and process of delivering software through an Internet browser to provide these services to users online through its Web site www.mcafee.com, one of the largest paid subscription sites on the Internet with over two million active paid subscribers.
With headquarters in Santa Clara, California, Network Associates, Inc. creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee(R) System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. These two product portfolios incorporate Network Associates leading McAfee, Sniffer(R) and Magic Solutions(R) product lines. For more information, Network Associates can be reached at +1-972-963-8000 or on the Internet at http://www.networkassociates.com / .
NOTE: Network Associates, AVERT, McAfee, Sniffer, Magic Solutions, Entercept, Infinistream, IntruShield are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. Sniffer(R) brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners.