Search OutlookPower's 8,351 Outlook and all-things-email article archive 
Home
EasyPrint
News details Click here for the RSS feed's XML code. This is not a browser URL.
Articles-only Click here for the RSS feed's XML code. This is not a browser URL.
Twitter Feed Click here for the Twitter feed.
EMAIL UNDER ATTACK
How the SoBig.F virus works
By Daniel Koffler

The latest incarnation of the SoBig worm has been devastating mail servers all over the Internet. SoBig was first spotted in the wild, in January. Since then, several new versions have popped up; the latest and most virulent, SoBig.F was first spotted on August 18th and has been wreaking havoc since.

This latest version of SoBig is especially nasty because it uses techniques from other worms, Trojans and even spammers to replicate itself and infect other systems. The most frustrating aspect of the SoBig worm to system administrators is the fact that the worm won't infect a system without the cooperation of a mail user.

Infectious beginnings
All of the SoBig variants are spread as an email attachment with either a ".pif" of ".scr" extension. The file names vary with each version of the worm, but the ones used by SoBig.F are listed in Figure A below.

FIGURE A


Here are the characteristics of SoBig.F. Roll over picture for a larger image.

Unlike other worms that take advantage of bugs in mail clients to automatically execute attachments, SoBig relies on enticing the email user to open the attachment manually. Because the email generally appears to come from someone they know many users end up opening the attachment and infecting their machine.

First wave: replication
Once run, SoBig.F will copy itself to your Windows directory as winppr32.exe and add registry entries to automatically start every time you boot your computer or login. Once installed and running SoBig.F will scour your hard disks for certain files and harvest any email addresses found within, creating a massive list of targets. Table A, above, lists the file extensions SoBig.F looks for.

SoBig.F doesn't rely on an installed mail client to send itself out (although it can); it comes with its own SMTP server to blast itself to its target list. SoBig will use email addresses from its target list as a spoofed "From" address in the mail envelope in order to make these messages appear to be more legitimate. SoBig.F uses carefully crafted subject lines to complete the illusion of a valid email from someone you know.

Second wave: is the cure worse then the disease?
Shortly after the worm was first seen in the wild and analyzed, most anti-virus vendors sent out immediate updates to their virus definitions to find and block SoBig.F. While some systems were already infected and infecting others, many other users were being protected by gateway and mail server anti-virus scanning products. These scanning products find the SoBig worm and either reject the message or clean it. The logic built into many of these products compounded the SoBig problem.


1  ·  2  ·  Next »
Other articles you might like
Home > Online Safety > Virus protection (7 articles)
   Readers clock in on Microsoft v. Symantec
   The great Windows Vista antivirus war
   Another month, another virus
Get Weekly Email Updates
Subscribe to our regular weekly email newsletter. It's packed with tips, reviews, deep analysis, and the latest news.
 
Recent OutlookPower Articles
Can Outlook run when it's not running (and other mysteries)?
Exploring the dark side of social networks
How not to screw up when you send email
How to separate email accounts and still manage them
How to convert a PST file from an old format to a new format
Visnetic MailFlow can automate your organization's mail processing
How to make Outlook launch an app at a specific time?
OutlookPower News Center
Touch in Windows 7: Just for show?
Windows XP User: I'm No Thief
Windows 7 May Get Family Pack Discount
Microsoft Unleashes Five Service Packs for Its Enterprise Security Wares
Give an Old Desktop New Life
Europe won't pay more for Windows 7. Really!
IT wish list for SharePoint 2010: Keep it simple
>> Read all the news
More from the ZATZ journals
Computing Unplugged: Eight steps to successful and reliable home backups
David Gewirtz Online: CNN commentary and analysis
DominoPower: What to look for in a Domino-based document management solution
-- Advertisement --

Write for OutlookPower today!
Share your experience and expertise with other Outlook and Exchange users, administrators, and developers. OutlookPower Magazine has grown nicely and now has new opportunities for contributing authors and editors.

Write about something you're an expert on and get your name in lights.

For Writers' Guidelines and to discuss topics, contact Staff Editor Steve Niles. This is your opportunity to shine in front of your peers, your clients, and other readers.

Click for more info!

-- Advertisement --

Automate Address Data entry using ADDRESSGRABBER
AddressGrabber Business captures contact name, email address and phone numbers from email signatures, Web pages, documents and automatically transfers them to Outlook contacts with one click!
  • Capture contacts instantly into Outlook - Save 80% data entry time
  • Remove duplicate contacts as and when you add them into Outlook
  • Capture contacts automatically into QuickBooks and FedEx as well


Click here for more info
ZATZ Home  ·  News  ·  Back Issues  ·  Credits/Trademarks ·  Link To Us
The Power Magazine for Microsoft Outlook and Exchange Users at OutlookPower.com
Copyright © 1998-2009, ZATZ Publishing. All rights reserved worldwide.
Outlook is a trademark of Microsoft Corporation.
Editor's Login