Sobig.F
| Sobig.F | |
|---|---|
| Surname | Sobig.F |
| Aliases | W32.Sobig.F@mm |
| Known since | 2003 |
| Type | Email worm |
| Authors | Unknown |
| Memory resident | Yes |
| distribution | |
| system | Windows 9x, NT, 2000, XP |
| programming language | MS Visual C ++ |
Sobig.F , also often imprecisely simply called the Sobig worm , is a computer worm that was discovered on August 18, 2003 and spread to computers with the Microsoft Windows operating system .
Sobig.F broke all previous records in terms of the effectiveness and speed of its dissemination. It has only been surpassed once, six months later, by MyDoom , the most destructive worm of all time to date (as of August 2020).
Aliases
The group of Sobig worms consists of several variants. The Sobig.F version is by far the best known. The worm is sometimes called differently by the manufacturers of antivirus software:
- I-Worm.Sobig.f
- W32 / Sobig.F-mm
- W32/Sobig.f@MM
- WORM_SOBIG.F
Effects
Sobig.F was believed to have been released via a pornographic newsgroup and is the sixth in a series of increasingly sophisticated internet worms that have been released onto the internet since January 2003. Sobig.F is characterized as a network-active mass mail worm that sends itself to all e-mail addresses stored in files with the extensions .dbx, .eml, .hlp, .htm, .html, .mht,. wab or .txt.
On August 19, 2003, the Federal Office for Information Security ( BSI ) issued a warning about the F variant.
Changes to the system
When the Sobig.F worm is activated, it copies itself to the Windows directory with the name WINPPR32.EXE and saves a configuration file with the name WINSTT32.DAT in the same directory.
The following entries are made in the registry :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"TrayX" = C:\WINNT\WINPPR32.EXE /sincHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"TrayX" = C:\WINNT\WINPPR32.EXE /sinc
distribution
The nested worm opens ports to the Internet on the infected computers , installs its own mail server and, in parallel, incessantly sends infected e-mails to any recipient.
Danger in this day and age
The worm is programmed to contact certain computers every Friday and Sunday until September 10, 2003 in order to receive small updates in the form of further instructions. A UDP packet is sent to port 8998 of a remote server. These targeted computers were removed from the network after a short time due to the determined IP addresses . Due to the fact that new infections with Sobig.F have practically no longer occurred since the "expiry date", Symantec, for example, moved the worm from danger level 4 to category 2 after a few weeks.
Potentially all Microsoft operating system versions from Windows 95 to Windows XP are infected by Sobig.F without the corresponding hotfixes. The first edition of Windows 2003 for Server was only released a week after the Sobig.F wave and was therefore not affected.
An appropriately configured firewall was not yet established on Windows computers in 2003. This only became standard with Service Pack 2 for Windows XP. This would have effectively prevented the Sobig worm from spreading.
Individual evidence
- ↑ https://www.stern.de/digital/computer/virenstatistik-sobig-f-ist--computerwurm-des-jahres--3520962.html Virus Statistics - Sobig.F is "Computer Worm of the Year"
- ↑ a b c https://www.handelsblatt.com/technik/it-internet/experten-warnen-vor-sobig-f-neuer-wurm-schlaegt-alle-rekorde/2267456.html?ticket=ST-659032- bSkZths2Y2Lr0gsMuvl3-ap2 Experts warn of Sobig.F - New worm beats all records
- ↑ a b c https://www.merkur.de/multimedia/computerwurm-sobigf-schlaegt-alle-rekorde-134668.html Computerwurm Sobig.F beats all records
- ↑ a b https://www.verivox.de/nachrichten/wurm-sobigf-schlaegt-alle-rekorde-4939 Wurm Sobig.F beats all records
- ↑ https://www.teltarif.de/arch/2003/kw34/s11326.html Federal Office warns of new computer worm Sobig.F - worm has already infected several thousand computers
Web links
- Spiegel.de: World record for Sobig.F - the fastest worm of all time by Frank Patalong , August 21, 2003
- Spiegel.de: Sobig.F - In the network of zombie machines , August 24, 2003
- Spiegel.de: Sobig - First traces of the virus author , August 25, 2003
- Spiegel.de: Sobig.F epidemic - unstoppable flood of emails Interview by Frank Patalong with Dirk Kollberg , August 20, 2003
- FAZ.net: Sobig.F computer worm spreads at lightning speed , updated on August 21, 2003
- PC-Welt.de: Sobig.F brings mail server to its knees by Hans-Christian Dirscherl , August 21, 2003
- Heise.de: Attack by Mailwurm Sobig.F apparently comes to nothing by Jürgen Kur , 23 August 2003
- Heise.de: Mailwurm Sobig.F tries to reload (update) by Patrick Brauch , August 22, 2003
- Heise.de: Worm wave from Sobig.F affects mail traffic by Daniel Bachfeld , August 20, 2003
- Heise.de: The next wave of worms is rolling: New Sobig variant is spreading rapidly by Patrick Brauch , August 19, 2003
- Heise.de: Sobig.F is worm of the year by Patrick Brauch , December 19, 2003