Archives » August 22nd, 2003

August 22, 2003

Sorry folks

I think I have to apologize to the Internet. One of the computers at my office had an out-of-date anti-virus scanner, and it let the Sobig virus right in. For a couple of days, not sure how long, the computer’s been spraying who knows how many e-mails, as well as clogging up net traffic. Our internet connection has been slow and spotty for the last couple of days. I thought it was problems upstream from us. I had no idea there was a devil lurking in our midst. I thought I had trained everyone at my office to be suspicious of suspicious-looking e-mails, and that the anti-virus would catch anything that they overlooked. I was wrong, on both counts apparently.

It’s even worse, because this morning everything was running so slowly, and I was thinking about writing this whole huge rant about Sobig and how crippled everything has been this week because of that and the Blaster worm. I’m glad I stayed my tongue, because if I had written that, then found out it was my network causing the problem, the irony would have been a little too delicious to handle.

I’ve got it cleaned up now. Apparently our ISP had other customers with the worm, and it got so bad that their upstream provider cut them off. So, even though my office is now clean, we’re still offline. Who knows when they’re going to get back up.

And I’ve got to apologize to the hundreds or probably thousands of people who got a Sobig e-mail from my company. I slipped up this time. I gotta keep my eyes open wider.

Anyway, I now know how to detect and remove Sobig, so you can check just to make sure it’s not running on your computer. Its presence is indicated by two files on your C:\ drive, winppr32.exe and winstt32.dat. They’ll be in the Windows directory. If you have either of those files, you’ve probably got SoBig. You need to restart your computer in Safe Mode, delete those two files, and delete the registry entry that runs them. In the registry, under HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run there will be an entry for TrayX. Delete it. Reboot and you should be Sobig-free. And watch out for those e-mails in the future!

So there. That’s my atonement. Copied from McAfee’s virus page, but still. It works. Now I have to go flog myself for a while. And give my co-workers yet another lesson in the three Ws of e-mail attachments. You need to know What it is, Who it’s from, and Why they sent it. If you’re in doubt about any of the three, don’t open it!