Home>Tips
& Articles>Remove
Worms & Virus>
Remove Worm.Sobig.F
About Sobig.F
Remove this worm virus using McAfee Virus Scan 2004!
Sobig.F, a new variant of the Sobig Internet worm, was discovered initially
on August 19. Sobig.F spreads via email and network shares. The worm
turns an infected computer into a server for outgoing email messages
using its own SMTP engine. The sender’s addresses are spoofed,
and the target addresses are gathered from files with the following
extensions on the infected computer:
.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt
The Sobig.F worm arrives in email with a variety of subject lines,
including:
"Your details"
"Thank you!"
"Your application"
"Wicked screensaver"
The message body contains:
See the attached file for details
Please see the attached file for details.
The attachment is one of the following:
your_document.pif, document_all.pif , thank_you.pif , your_details.pif
, details.pif, document_9446.pif, application.pif, wicked_scr.scr, movie0045.pif
How to Remove Sobig.F?
Follow these steps in removing the SoBig.F worm.
1) Disconnect from the Internet or any network you are connected to,
you may also want to disable System Restore on Windows XP or Windows
ME before continuing
2) Terminate the running program
Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x
machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP
machines.
Locate the following program, click on it and End Task or End Process
Winppr32.exe
3) Remove the Registry entries
Click on Start, Run, Regedit
In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current
Version>Run
In the right panel, right-click and delete the following entry:
"TrayX"="%Windir%\winppr32.exe /sinc"
Repeat this procedure for the following Registry key as well
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Close the Registry Editor
4 ) Search the following files in your computer and delete them:
Winstt32.dat, winppr32.exe
5) Reboot the computer and run a thorough virus scan using your antivirus
program.
Remove other worms & virus:
