The massive attack of the Sobig-F worm is getting a lot of publicity, but none of the news reports provides practical information about how to tell whether a machine is infected. They mention that an executable program is copied to victims' machines, but do not even identify the name of the file. Many users are receiving notifications from corporate systems that messages that they have sent are infected, but this is a false report.
The Symantec web site, supposedly a good resource for information of this nature, has placed information about the Sobig worm in a hard-to-find location.
We have found detailed information and detection and removal instructions at the Sophos antivirus site. The essentials: look for a file called winppr32.exe under c:winnt or c:windows, and anywhere in the registry.
9:32:45 AM 
|
