WinSobigFmm free Removal Tool

Win32.Sobig.F@mm FREE Removal Tool Name: Win32.Sobig.F@mm
Aliases: W32/Sobig.F@mm
Type: Executable Mass Mailer
Size: ~70 KB
Discovered: 19.08.2000
Spreading: High
Damage: Low
In The Wild: Yes

Symptoms:
Registry keys:
HKLMSoftwareMicrosoftWindowsRunCurrentVersionTrayX with value:
%WINDIR%winppr32.exe /sinc
HKCUSoftwareMicrosoftWindowsRunCurrentVersionTrayX with value:
%WINDIR%winppr32.exe /sinc

Following files in the %WINDIR% folder:

Winstt32.dat
Winppr32.exe
Winstf32.dll

Technical description:

It arrives in e-mail in the following format:

Subject:
Randomly chosen from the following list:
"Re: Wicked screensaver"
"Re: That movie"
"Re: Your application"
"Re: Approved"
"Re: Re: My details"
"Re: Details"
"Your details"
"Thank you!"
"Re: Thank you!"

Body:
Please see the attached file for details.
Or
See the attached file for details

Attachment:
Randomly chosen from the following list:
"movie0045.pif"
"wicked_scr.scr"
"application.pif"
"document_9446.pif"
"details.pif"
"your_details.pif"
"thank_you.pif"
"document_all.pif"
"your_document.pif "

After the user opens the attachment the worm copies in the following location:
%WINDIR%winppr32.exe
and adds the following registry keys:
HKLMSoftwareMicrosoftWindowsRunCurrentVersionTrayX with value:
%WINDIR%winppr32.exe /sinc

HKCUSoftwareMicrosoftWindowsRunCurrentVersionTrayX with value:
%WINDIR%winppr32.exe /sinc

It searches for e-mails in the following file types:
html, wab, mht, hlp, txt, eml, htm, dbx

The worm also spreads trough network shares.
After the 10.09.2003 it stops spreading

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender Antisobig-en.exe tool does the following: