Sobig.F, known in the antivirus community as w32.sobig.f@mm, is an email-propagated worm that afflicts computers running any modern (>1995) 32-bit version of Microsoft Windows. It was first seen on August 18, 2003, though it may have been going for a few days prior to that date.

Just like every other email-borne worm that has affected Microsoft products in recent years, Sobig.F scans the Microsoft Outlook/Outlook Express address book of its infected host for addresses to send itself to. (Of course, if you're not using either of those email clients, then you have naught to worry about unless you're keen on opening attachments from unknown senders.) It also scours any sent email it finds, and it also does a once-over of any text files it can find, looking for email addresses. When it finds some, it starts running its own SMTP server in the background and then emails itself to others. It uses a variety of subject lines, all variations on the following:

  • Re: Details
  • Re: Approved
  • Re: Re: My details
  • Re: Thank you!
  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Thank you!
  • Your details

Each of these emails contains a file attachment, usually 75KB-104KB in size, and always either a .pif or .scr file, both old standbys for virus-infected email attachments. Users unaware of the dangers inherent in opening file attachments from unknown sources (do these people really exist? it seems implausible), coupled with the default setting in Microsoft Outlook/Outlook Express to run attachments when emails are read, is how the worm infects its host computer.

Though the origin of Sobig.F will probably never be determined, in-depth analysis of the worm has discovered that it also spawns its own background-running DNS server and proxy server. Evidence seems to point to any number of spam gangs as the author of the worm, and it seems to have been unleashed upon the Microsoft-using internet user crowd in order to set up throwaway servers that spammers use to send out batches of spam. Additional evidence indicates that the worm may have originated in Russia, as it will not infect any computers on which the default language is set to Russian. Moreover, Russia has in recent months become a veritable hotbed of spam activity.

The modus operandi of spammers in recent years has been using insecure SOCKS4/SOCKS5 proxy servers and open SMTP relays to send their dubious produce in (they assume) anonymity. Additionally, most spam is usually plugging a website or two, and for the websites to work, DNS servers are required, which is why Sobig.F creates one. Though their use will in almost all cases be very temporary, that's all the spammers need to get the attention they're after. That being the case, the worm provides untold hundreds or thousands of spammers and spam gangs with insecure, temporarily indetectable relays, proxies, and nameservers.

The ".F" at the end of Sobig.F indicates the worm's revision number. There have been predecessors to this worm, named Sobig.A through Sobig.E, though none thus far have been as successful or as annoying as revision F.

The worm has a built-in expiration date, which is September 10, 2003. It was widely assumed that on that date, Sobig.G will appear and provide further services to spammers, but nothing appeared when that date occured, and there was much rejoicing, for the worm had shut itself down and the clueless had no further forms of network abuse to unknowingly propagate.

Comprehensive information on the worm and what it does, as well as instructions on how to remove it from your Windows box, can be found at the following URL:

http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html

One more thing, for the sake of all that which does not suck: Please, do not open email attachments from unknown senders, or even read anything that looks suspicious. It is not possible for any good to come of it. I'd urge you to take advantage of the filters provided by most email clients and start filtering out the subject lines that Sobig.F uses. Also, just to be on the safest of safe sides, you should consider using an email client that isn't produced by Microsoft, as those that Microsoft produces have, time and time again, shown how insecure and unreliable they are whenever a new virus or worm appears.

After less than a week of being hammered by this worm, antivirus gurus are calling it the most widespread worm ever to exist, even as its run is still in progress. A new event discovered in the way the worm works went off at 19:00 GMT on Friday, August 22, 2003, and then again at the same time on August 24, 2003 -- at those times, every infected computer attempted to connect to 20 various servers located in South Korea, where an unidentified program will apparently do something. What ended up happening was that somehow, those 20 Korean servers were secured just prior to when Sobig.F was scheduled to hit them. This in itself is quite remarkable, as South Korea has a fairly bad reputation when it comes to computers, as approximately 20% of the world's spam is routed through insecure proxy servers located there.