Home>Tips
& Articles>Remove
Worms & Virus>
Remove Worm.Sobig.E
About Sobig.E
The Sobig.E worm spreads via email and network shares. The worm turns
an infected computer into a server for outgoing email messages using
its own SMTP engine. The sender’s addresses are spoofed, and the
target addresses are gathered from files with the following extensions
on the infected computer:
.DBX, .EML, .HTM, .HTML, .TXT, .WAB
Remove this worm virus using McAfee Virus Scan 2004!
The Sobig.E worm arrives in email with a variety of subject lines,
including:
Re: Re: Document
Re: Re: Application ref. 003644
Re: Documents
Re: Screensaver
Re: Submited (Ref: 003746)
Re: Movies
Re: Movie
Re: Application
Your application
referer.pif
004448554.pif
re.document.pif
new_document.pif
submited.pif
Screensaver.scr
movie.pif
Applications.pif
Application.pif
The sender of the message is: support@yahoo.com
or <username@domain.com>
The message body contains: Please see the attached zip file
for details
The attachment is one of the following:
Movie.zip (Movie.pif)
screensaver.zip (sky_world.scr)
document.zip (document.pif)
application.zip (application.pif)
Your_details.zip(details.pif)
The worm also attempts to copy itself to the following folders on all
the open network shares:
\Windows\All Users\Start Menu\Programs\StartUp
Documents and Settings\All Users\Start Menu\Programs\Startup
How to Remove Sobig.E?
Follow these steps in removing the SoBig.E worm.
1) Disconnect from the Internet or any network you are connected to,
you may also want to disable System Restore on Windows XP or Windows
ME before continuing
2) Terminate the running program
Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x
machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP
machines.
Locate the following program, click on it and End Task or End Process
SFtrb Service or winssk32.exe
3) Remove the Registry entries
Click on Start, Run, Regedit
In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current
Version>Run
In the right panel, right-click and delete the following entry:
SSK Service
Then go to
HKEY_CURRENT_USER>Software>Microsoft>Windows>Current
Version>Run
delete the following entry:
SSK Service
4 ) Search the following files in your computer and delete them:
msrrf.dat
winssk32.exe
5) Reboot the computer and run a thorough virus scan using your antivirus
program.
Remove other worms & virus:
