CERT® Incident Note IN-2003-03The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
W32/Sobig.F WormRelease Date: August 22, 2003
The CERT/CC has been receiving a large volume of reports of a mass mailing worm, referred to as W32/Sobig.F, spreading on the Internet. New information indicates that this worm has additional capabilities that were not realized at the time it first began propagating.
The W32/Sobig.F worm is an email-borne malicious program with a specially crafted attachment that has a .pif extension. The email messages may appear from random addresses and have a Subject: line such as
The following attachment names have been observed in email messages carrying the worm:
The worm requires a user to execute the malicious attachment either manually or by using an email client that will open the attachment automatically. Upon successful execution, the worm installs itself as C:\%windir%\winppr.exe and also creates the file C:\%windir%\winstt32.dat. An entry is also added to the Run registry key so that this executable will be run upon system restart. The key installed in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is ScanX with the value "c:\winnt\winppr.exe /sinc". The program then proceeds to scan files with certain extensions (htm, html, dbx, hlp, mht, txt, wab) on the compromised system for valid email addresses, and it uses an internal SMTP engine to email itself to those addresses.
The worm uses the Network Time Protocol (NTP) to determine the current time. The worm also includes code that attempts to contact a list of 20 predefined IP addresses on port 8998/UDP on Fridays and Sundays between 1900 and 2200 UTC (starting at 1900 UTC on August 22, 2003). Is it believed that a location from which additional code can be downloaded is sent over this channel. The list of IP addresses appears as follows:
The worm is believed to have a programmed "shut down" date of September 10, 2003, at which time it is expected to stop propagating.
Anti-virus vendors have developed signatures for W32/Sobig.F:
Run and maintain an anti-virus product
While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first-line of defense against malicious code attacks. Users may wish to read IN-2003-01 for more information on anti-virus software and security issues.
Most antivirus software vendors release frequently updated information, tools, or virus databases to help detect and recover from malicious code, including W32/Sogib.F. Therefore, it is important that users keep their antivirus software up to date. The CERT/CC maintains a partial list of antivirus vendors.
Many antivirus packages support automatic updates of virus definitions. The CERT/CC recommends using these automatic updates when available.
Do not run programs of unknown origin
Never download, install, or run a program unless you know it to be authored by a person or company that you trust. Email users should be wary of unexpected attachments, while users of Internet Relay Chat (IRC), Instant Messaging (IM), and file-sharing services should be particularly wary of following links or running software sent to them by other users since these are commonly used methods among intruders attempting to build networks of distributed denial-of-service (DDoS) agents.
Filter network traffic
Sites are encouraged to block network access to the following relevant ports at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be blocked include
Sites should consider blocking both inbound and outbound traffic to these ports, depending on network requirements, at the host and network level.
If access cannot be blocked for all external hosts, the CERT/CC recommends limiting access to only those hosts that require it for normal operation. As a general rule, the CERT/CC recommends filtering all types of network traffic that are not required for normal operation.
Recovering from a system compromise
If you believe a system under your administrative control has been compromised, please follow the steps outlined in
The CERT/CC is tracking activity related to this worm as CERT#30979. Relevant artifacts or activity can be sent to firstname.lastname@example.org with the appropriate CERT# in the subject line.
Authors: Chad Dougherty and Brian King
This document is available from: http://www.cert.org/incident_notes/IN-2003-03.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.