Advascan confirmed today that it's customers are protected from the latest outbreak of a new form of the Sobig worm. This new version, Sobig-F, is polymorphic with varying email subject lines, payload attachment names and file sizes. The 'From' field is selected from local files making the email appear from a trusted sender, and making it more difficult to determine who is infected. The worm alters Windows registry and runs on every Windows startup.

Roy Walker, chief executive of ADVASCAN said

Description of Sobig-F

W32/Sobig-F is a worm that spreads via email and network shares. W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX=[Windows folder]\winppr32.exe /sinc

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX=[Windows folder]\winppr32.exe /sinc

The worm sends itself, using its own SMTP engine, as an attachment to email addresses collected from various files on the victim's computer. When it distributes itself via email it forges the sender's email address, making it difficult to know who is truly infected.

The email has the following format:

Message text: Chosen from -
Please see the attached file for details.
See the attached file for details

Attached file: Chosen from -
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
f details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif

W32/Sobig-F also attempts to spread by copying itself to Windows network shares and uses the Network Time Protocol to one of several servers in order to determine the current date and time. If the date is September 10 2003 or later the worm stops working. (Sophos)

For Further Information:
Roy S. Walker, chief executive officer - +44 (0)8450 539331
roy.walker@advascan.com