Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


WINPPR32.EXE PROCESS INFORMATION

Process Name  : winppr32.exe

Process Path : %WINDOWS%\winppr32.exe [ C:\Windows\winppr32.exe]

Process type    : Internet Worm

Malware Name : W32.Sobig.F@mm

Alias             : I-Worm.Sobig.gen, WORM_SOBIG.F, W32/Sobig-F, Sobig.F Worm

Threat level : Low

Process Details

                     Winppr32.exe is the main component dropped by Sobig.F worm. It uses e-mail addresses collected from DBX, HTML, DBX, EML, HML, TXT and WAB files to send infected messages. It is very similar to Sobig.B Worm. Sobig.F infects Windows 95, 98, ME, 2000, NT, XP systems. It also copies to shared network drives. Sobig.F worm will not spread after 10th September, 2003.

                     The infected e-mail attachment and e-mail subject is chosen from the list given in the worm. The email body contains the text "See the attached file for details or Please see the attached file for details." and the sender field is randomly chosen by the worm. 

The infected mail subject will be one of the following.

Thank you
Re: Thank you! 
Re: Wicked screensaver 
Re: Approved 
Re: That movie 
Re: Re: My details 
Re: Your application 
Re: Details
Your details

The infected mail attachment will be one of the following.

thank_you.pif
wicked_scr.scr 
application.pif 
details.pif 
document_9446.pif 
document_all.pif 
movie0045.pif 
your_details.pif 
your_document.pif

                     When the infected attachment is executed, the worm copies itself to Windows folder as "winppr32.exe". Sobig.F worm creates new keys in the registry Run section to load automatically. The registry modification is given below.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windows%\winppr32.exe /sinc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windows%\winppr32.exe /sinc

                     The worm spoofs the sender's e-mail id. So it is very difficult to find the infected user. If an infected user contains your e-mail id, Sobig.F will send infected mails using your e-mail id too. So you will receive virus warning messages and undeliverable messages. 

                     Sobig.F worm has the ability to update automatically via Internet. It contains a list of 20 IP addresses of NTP remote servers located in different countries. After reaching the time deadline, it will try to connect the NTP servers and download additional components. These remote servers are already disconnected from the net. 

                     Sobig.F worm copies to the shared network drives startup folder in the remote machine. So the infected files will be executed automatically on the next startup. Sobig.F variant detected on August 19th, 2003.

How can I protect my system?

                   Solo has incorporated winppr32.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   Solo antivirus can detect and remove W32.Sobig.F@mm Worm safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link