New SoBig Worm threat

[Keith Heitmann]

A new variant of W32/Sobig, W32/Sobig.f@MM is a High Risk
mass-mailing worm. It arrives as an email attachment with
a .pif or .scr extension. When run, it infects the host
computer, then emails itself (using its own SMTP engine)
to harvested email addresses from the victim's machine.
In addition, when it propagates, the worm "spoofs" the
"from: field", using one of the harvested email addresses.

Note: The worm copies itself onto the infected machine as:

C:\WINNT\WINPPR32.EXE

Caution: An infected email can come from addresses you
recognize and may contain the following information:

Subject:
- Your details
- Thank you!
- Re: Thank you!
- Re: Details
- Re: Re: My details
- Re: Approved
- Re: Your application
- Re: Wicked screensaver
- Re: That movie

Attachment:
- your_document.pif
- document_all.pif
- thank_you.pif
- your_details.pif
- details.pif
- document_9446.pif
- application.pif
- wicked_scr.scr
- movie0045.pif

Body:
- See the attached file for details
- Please see the attached file for details

Current and up-to-date VirusScan users are protected from
this threat.

Learn More about W32/Sobig.f@MM:
==> us.mcafee.com/root/campaign.asp?cid=8449

Scan for W32/Sobig.f@MM:
==> us.mcafee.com/root/campaign.asp?cid=8450

[Keith Heitmann]

Prior to receiving the above warning bulletin from McAfee I received some 60 infected emails all with the very same subject titles yesterday afternoon between 1:30 and 4pm.

I deleted them all figuring they were all spam anyway. I'm relatively safe against worms and scripts since I'm on AOL and their email program is propietary and is not prone to same problems that Outlook Expres is prone to.

Naturally I never download a file that is from a unknown source and I always check the file name for the obvious .pif, .scr, exe. and .com extension before I download anything. Anything I'm not sure about is scanned a second time by me manually, even though AOL and my install of McAfee each give it a once over in the background while downloading.

[Keith Heitmann]

For those of you with mail previewing functions you could trigger the script or pif file by the simple act of chosing to preview a infected email.

The worm scripts can be activated automatically by Windows Scripting Host.

1) The first step is to turn off Windows Scripting Host. You don't need this(note: you might after all, just re-enable it if something else doesn't work after, it's safer to have it off), and it's the hook 99% of email virii latch onto. To do this under 98 and older,

Go to Control Panel
Open add/remove programs
Pick the windows tab
Pick accessories and click the 'details' button
Scroll down and uncheck 'Windows scripting host'
Just ok thru the rest and now you're secure from these.
2) Turn OFF preview pane. This is the same as opening the email and WILL launch any virii that are not covered by #1.

3) Now that you have preview pane off, if you recieve an email with an attachment, to inspect it safely, click on it just ONCE, choose file from the top and properties, then the details tab, then message source. This'll open a text-only window to view the message safely, no matter what kind of script it may have embedded.

For those on XP:

The file CSCRIPT.EXE is Windows Scripting Host file on XP. It exists in two folder paths:

C:\I386 and C:\Windows\System32

One could probably disable the program by simply renaming the file to some non-executable extension:

From: cscript.exe To: cscript.old

Or any name that doesn't end in .exe or .com. It may be a good idea to disguise or alter the "cscript" part of the filename as well.

I haven't tried this myself personally, but I'm guessing it's a inelegant quick fix that should work. If your computer starts misbehaving after you rename the file you can always rename it back.

You will probably have to rename this file after any System Restore you may preform from a system backup date prior to the date you first renamed the file

To avoid such worms you can get various Mail utility programs/services like MailWasher, etc.