The executable has a size of around 70KB and it's packed with TELock. It has its own SMTP engine, apart from routines to query directly DNS servers and make requests using the Network Time Protocol.
The worm also has updating capabilities. It will attempt to download updated versions when certain conditions are met.
Deactivation routine
The worm will stop spreading on 10th of September 2003. From this date onwards the worm will exit immediately when executed.
Infection
It will install itself into:
%windir%\winppr32.exe
Proceeding then to add the following keys to the Windows Registry:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrayX" = %windir%\winppr32.exe /sinc
So it's started when Windows does.
Mail spreading
The worm usually arrives in e-mails with the following characteristics:
From:
The 'From:' field is filled with an address found from the infected system.
If no address is found, it will use "admin@internet.com"
To:
The 'To:' field is filled with an address found from the infected system.
Subject, any from the list:
Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Body, it chooses one from the two following lines:
See the attached file for details
Please see the attached file for details.
Attachment name
The name is selected from the following list:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
Detection
W32/Sobig.F@mm is detected by the latest version of F-Prot Antivirus using virus signature files dated 19 August 2003 or later.
| 
