The SoBig.F worm has continued to pound organizations, ISPs, and individual users to the point that numerous parties in IT are now calling it the fastest-spreading virus ever. Now it also appears that the virus and its variants may be carrying a dangerous hidden Trojan.

The Trojan
According to antivirus companies Sophos and F-Secure, on Friday, Aug. 22, 2003, beginning precisely at 19:00:00 UTC (3:00 P.M. Eastern Daylight Time), a Trojan planted by SoBig.F is scheduled to activate and do something—except nobody knows just what.

A Central Command Press Release, which appears to be the first to disclose the hidden encrypted code planted by SoBig.F, gives the same time, but sets the activation date as September 10-11. Of course, that doesn’t necessarily mean that Central Command is incorrect; there may be multiple variants of the Trojan.

F-Secure reports its analysis of the code provides some server addresses that don’t lead to anything right now, and speculates that the server addresses will be forwarded to some other address just seconds before the Trojan activates in order to prevent antivirus analysts from reading the program and working out countermeasures in advance.

F-Secure is also providing some additional details, such as the fact that SoBigF appears to have infected nearly 100 million systems in just over four days and, when the Trojan activates, it will launch itself from 20 ordinary systems—many of them home computers on cable modems—located in the U.S., Canada, and Korea. For now, it isn’t known whether the Trojan will try to co-opt other systems already compromised by SoBig.F or will launch some entirely different sort of attack.

Although the eventual attack may not be of a serious nature, this is a highly sophisticated attack, even using atomic clocks to synchronize the activation of the Trojan, and chances are good that this is a potentially serious event. At worst, it could involve some form of cyberterrorism. Attempts to reach the FBI cybersecurity division were unsuccessful.

Cleaning up SoBig.F
Although removing SoBig.F from an infected system (unless it is one of the 20 selected targets) may not have any effect on slowing this attack, you should still be diligent in getting it cleaned up—if only because other Trojan variants may be programmed to do other things on a local system.

At the very least, block UDP port 8998 on your firewalls and your systems. That should mitigate damages somewhat by blocking the worm from downloading any further malicious code.

The best way to determine if you are infected is to scan your system(s) with one of the many antivirus programs (updated with the latest virus signatures), such as the one from Sophos. Also, Sophos reports that SoBig.F uses the filename winppr32.exe, and that it copies itself to the Windows folder, making one of the registry entries shown here in the process. Because SoBig.F has its own SMTP engine, collects e-mail addresses from various files on an infected computer, and then forges the sender’s e-mail, it is very difficult to determine who is infected based on an infected message.

There are a few manual removal options. Trend Micro provides manual removal instructions for SoBig.F and McAfee also has a page with manual removal instructions. All manual removal requires some complex steps, including Registry editing, which should only be attempted by IT professionals and not end users. Also note that Symantec is offering a free downloadable removal tool.

Final word
The worst of SoBig.F may not be over yet. Because of the unpredictable dangers inherent with the hidden Trojan that appears to be included with SoBig.F, every administrator should move quickly to mitigate the damage that could be caused by this worm by following the recommendations mentioned above for removing SoBig.F and blocking its communications ability.