Smart Computing ® Smart Computing ®
Top Subscribe Today | Contact Us | Register Now   
middle
Home | Tech Support | Q&A Board | Article Search | Subscribe & Shop   


How To Get Rid Of… Email This
Print This
View My Personal Library
How To Get Rid Of…
Article Last Reviewed February 2005 		Add To My Personal Library


How To Get Rid Of SoBig (& Variants SoBig.B, Sobig.E, Sobig.F)

Description

SoBig and all of its variants are mass-mailer worms that spread via email. Infected messages will have an attachment with a .pif or .scr extension and an innocuous-sounding subject line, such as "Re: That movie" or "Re: Your application." Because the worm is able to spoof the "From" address, it might look like the email comes from someone you know. If you open and run the attachment, your computer becomes infected. While SoBig.F—the most recent variant—deactivated and ceased propagation on Sept. 10, 2003, chances are good that another, perhaps more dangerous, variant could appear anytime.

How To Tell If SoBig Is On Your PC

The worm installs the file winppr32.exe into the C:\Windows directory on your computer's hard drive. You can verify this by going into My Computer and locating the C:\Windows directory. If you see the file there, you've got the worm. Once installed, it will extract email addresses from files on your computer and begin sending itself to them. It also implements a background process that attempts to contact a remote server at a specified time and date, perhaps to update itself or execute another malicious program.

WARNING: The following section includes step-by-step information on how to edit the Windows Registry, a large database containing system and program settings that are essential to how the OS (operating system) operates. Follow Registry-editing instructions to the letter and be sure to make a backup of your Registry before you begin. (Registry errors can render your computer inoperable if you don't have a backup.) This procedure differs depending on the OS you use. For more information on backing up and editing the Registry, see these articles: "Protect Yourself" and "Register Here."


How To Get Rid Of SoBig

There are many tools (see below) that you can download to help you get rid of this agent, including programs from F-Secure (www.f-secure.com/v-descs/sobig_f.shtml#disinf), McAfee (vil.nai.com/vil/averttools.asp#stinger), and Symantec (securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html). In this example, we'll use McAfee's AVERT Stinger utility, which has the added benefit of getting rid of 45 other viruses in addition to the SoBig variants. The steps you'll follow to clean your system are:

1. Download the utility from download.nai.com/products/mcafee-avert/stinger.exe and save it into a location you'll remember.

2. If you're on Windows Me or XP, disable System Restore by right-clicking the My Computer icon and clicking Properties. Select the System Restore tab and put a check in the Turn Off System Restore box. Then click the OK button and restart your computer.

3. Once rebooted, browse to the stinger.exe file you downloaded and save, then double-click it. A window will open with the Stinger interface.

4. The program defaults to scanning everything on your C:\ drive. Click Add or Browse if you need to add other drives or directories.

5. Click the Scan Now button to start the process. Stinger will begin to scan and will remove and/or repair any infected files found.

Manual Removal:

1. Disconnect your PC from the network, if possible.

2. Kill the worm's active process (winppr32.exe) in the Task Manager's Process tab. (A handy shortcut to this area is right-clicking an empty spot on the Taskbar and selecting Task Manager.)

3. Search for and delete all copies of the files winppr32.exe and winstt32.dat from the hard drive. To do this, click Start, Search, All files and folders, and enter the file name on the line that reads "All or part of the file name." Click the Search button to initiate.

4. Using Regedit, delete this entry: "TrayX"="Windows/winppr32.exe /sinc" and this key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

5. Reboot your system.






Want more information about a topic you found of interest while reading this article? Type a word or phrase that identifies the topic and click "Search" to find relevant Trouble Shooting articles from within our Tech Support.

Enter A Subject (key words or a phrase):
                                         




Home     Copyright & Legal Information     Privacy Policy     Site Map     Contact Us

Copyright © 2009 Sandhills Publishing Company U.S.A. All rights reserved.