Discussion in 'malware problems & news' started by Technodrome, Jan 10, 2003.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Feb 13, 2002
    New York
    Sophos has received several reports of this worm from the wild.

    W32/Sobig-A is a worm that uses a built-in SMTP client and local Windows network shares to spread.

    W32/Sobig-A arrives in an email with the following characteristics:

    Subject line -chosen from:
    Re: Movies
    Re: Sample
    Re: Document
    Re: Here is that sample

    Attached file - chosen from:

    The worm searches the local hard drive for files with the extensions TXT, HTML, EML, HTM, WAB and DBX. The files are used to extract a list of recipient email addresses that will be used by the worm to send infected emails.

    When the attachment is run, W32/Sobig-A copies itself into the Windows folder as Winmgm32.exe and creates a new process by running the file.

    W32/Sobig-A creates the following registry values to run itself on Windows startup:


    The worm connects to a website and attempts to download the file reteral.txt which contains a URL to another file. W32/Sobig-A then attempts to download and run the referenced file.

    The worm also attempts to copy itself onto Windows shares of the local network if the folders Windows\All Users\Start Menu\Programs\StartUp or
    Documents and Settings\All Users\Start Menu\Programs\Startup exist in a shared folder.

    Please read the instructions for removing worms.
    Windows NT/2000/XP

    In Windows NT/2000/XP you will also need to edit the following registry keys. The removal of these keys is optional in Windows 95/98/Me.

    At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

    Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

    Locate the HKEY_LOCAL_MACHINE key:


    and delete it if it exists.

    You will also need to edit the following registry key for each user who ran the virus. Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the key:

    HKU\[code number]\Software\Microsoft\Windows\

    and delete it if it exists.

    Close the registry editor and reboot your computer.

    Deleting the reteral.txt file

    Search your computer for the reteral.txt file dropped by the worm and delete it. This is optional.


Thread Status:
Not open for further replies.