There is a new variation of the "sobig" email virus running around, the latest version, sobig.f, typically arriving with a subject line like ""re:details," "details," "your details," "thank you," or "resume."

There is one very easy way to protect yourself from this virus, as with most others:

Do Not Open Email Attachments

Unless you are specifically expecting an email attachment from a trusted sender, Don't Open It

OK, that's pretty draconian. But in this day and age of email viruses appearing every other day, some of them quite nasty, it's becoming the best possible advice.

You absolutely do not want to open an attachment with the file extensions:

• .pif
• .scr
• .mme
• .lnk
• .vbe
• .vbs
• .wsc
• .wsf
• .wsh
• .hta
• .shs
• .exe
• .com

You have to be particularly careful that somebody hasn't tried to fool you by sending you a file with a name like "greatpicture.jpg.pif"....the .pif is the scriptable part that will run; it's not really a jpeg photo at all, it's a script file. And your computer will dutifully run it when you click on it.

Important: the sobig.f variant of this virus adds a fake header to the email it sends out that makes it look like the email has already been scanned by a virus scanner, and is clean...don't believe it.

This particular virus sends attachments with a ".pif" file extension; pif files are Program Information Files, basically a way for a DOS program to be run within Windows.

Typical filenames that have been seen in the wild have been

• your_document.pif
• details.pif
• your_details.pif
• thank_you.pif
• movie0045.pif
• document.Fall.pif
• application.pif
• document.9446.pif.

If you DO get infected with the sobig virus, it will steal email addresses from several different locations on your computer (windows address book, internet cache, etc), and it will send additional copies of itself to those addresses.

It will also attempt to install a backdoor "trojan horse" program to allow others to access your computer -- don't take this threat lightly; it's a primary way spammers are now getting spam sent out: they take over other people's machines without them knowing it, install email-relaying software on the machine, and go about their dirty work of filling other people's mailboxes with spam.

REMOVAL OF THE VIRUS

It's pretty easy to remove this virus; there is a free tool available from F-Secure that will do it for you; here is their instruction file:

F - S O B I G
-------------

The F-Sobig utility disinfects computers infected with 
W32/Sobig.B@mm, W32/Sobig.C@mm, W32/Sobig.E@mm and W32/Sobig.F@mm
worm variants.  These worms are also known as 'Palyh' and 'Mankx'.

Detailed description on the W32/Sobig.B@mm worm is available at
http://www.f-secure.com/v-descs/sobig.shtml

Detailed description on the W32/Sobig.C@mm worm is available at
http://www.f-secure.com/v-descs/sobig_c.shtml

Detailed description on the W32/Sobig.E@mm worm is available at
http://www.f-secure.com/v-descs/sobig_e.shtml

Detailed description on the W32/Sobig.F@mm worm is available at
http://www.f-secure.com/v-descs/sobig_f.shtml


DISINFECTION PROCEDURE
----------------------

1. Unpack the F-Sobig utility from the provided ZIP archive
either with WinZip or PkUnzip utilities. A trial version of
WinZip archiver can be downloaded from the following website:

http://www.winzip.com/ddchomea.htm
                                   
2. Run the unpacked F-Sobig.exe file from a hard disk to 
eliminate W32/Sobig.B@mm or W32/Sobig.C@mm, W32/Sobig.E@mm or
W32/Sobig.F@mm worm infection. You can run the utility by
either double clicking on it from Windows Explorer or you
can start it from a command interpreter (COMMAND.COM or
CMD.EXE) by typing its name at command prompt and pressing
'Enter' (for advanced users).

First the F-Sobig utility will kill W32/Sobig.B@mm or 
W32/Sobig.C@mm, W32/Sobig.E@mm or W32/Sobig.F@mm worm's process
in memory. Then the utility will remove the registry values and
the additional worm copies from the startup folders.

3. Reboot the system. After restart your system should be clean.

If you have F-Secure Anti-Virus installed, the utility will
temporarily disable on-access scanner to be able to disinfect
your system. After the utility completes disinfection, it
enables on-access scanner.

You can get a trial version of F-Secure Anti-Virus and the
latest updates for it from our website:

http://www.europe.f-secure.com/download-purchase/
http://www.europe.f-secure.com/download-purchase/updates.shtml



IMPORTANT NOTES
---------------

If Sobig infection is in a network environment, then the network 
should be temporarily taken down before all workstations and 
servers are disinfected. A single infected workstation can 
re-infect already cleaned computers.

If a computer with Windows NT, 2000 or XP operating system is 
being disinfected, please log in as Administrator or as a user 
with local admin rights, otherwise the F-Sobig utility might not 
disinfect the system correctly.

If you have Windows ME or XP, it is recommended to disable System 
Restore feature of these operating systems to prevent your 
computer from re-infection with Sobig worm. The fact is that 
System Restore feature of these operating systems might save the 
infected file into the special folder and copy it back to a hard 
drive it every time it's been deleted by F-Sobig utility. The 
instructions on how to disable System Restore feature are here:

Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

If you have any problems using this utility please contact us on 
'anti-virus-support@f-secure.com' address.