W32/Sobig-A

Discussion in 'malware problems & news' started by Technodrome, Jan 10, 2003.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Sophos has received several reports of this worm from the wild.


    Description
    W32/Sobig-A is a worm that uses a built-in SMTP client and local Windows network shares to spread.

    W32/Sobig-A arrives in an email with the following characteristics:

    Subject line -chosen from:
    Re: Movies
    Re: Sample
    Re: Document
    Re: Here is that sample

    Attached file - chosen from:
    Document003.pif
    Sample.pif
    Untitled1.pif
    Movie_0074.pif

    The worm searches the local hard drive for files with the extensions TXT, HTML, EML, HTM, WAB and DBX. The files are used to extract a list of recipient email addresses that will be used by the worm to send infected emails.

    When the attachment is run, W32/Sobig-A copies itself into the Windows folder as Winmgm32.exe and creates a new process by running the file.

    W32/Sobig-A creates the following registry values to run itself on Windows startup:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM

    The worm connects to a website and attempts to download the file reteral.txt which contains a URL to another file. W32/Sobig-A then attempts to download and run the referenced file.

    The worm also attempts to copy itself onto Windows shares of the local network if the folders Windows\All Users\Start Menu\Programs\StartUp or
    Documents and Settings\All Users\Start Menu\Programs\Startup exist in a shared folder.


    Recovery
    Please read the instructions for removing worms.
    Windows NT/2000/XP

    In Windows NT/2000/XP you will also need to edit the following registry keys. The removal of these keys is optional in Windows 95/98/Me.

    At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

    Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

    Locate the HKEY_LOCAL_MACHINE key:

    HKLM\Software\Microsoft\Windows\
    CurrentVersion\Run\WindowsMGM

    and delete it if it exists.

    You will also need to edit the following registry key for each user who ran the virus. Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the key:

    HKU\[code number]\Software\Microsoft\Windows\
    CurrentVersion\Run\WindowsMGM

    and delete it if it exists.

    Close the registry editor and reboot your computer.

    Deleting the reteral.txt file

    Search your computer for the reteral.txt file dropped by the worm and delete it. This is optional.


    http://www.sophos.com


    Technodrome
     
Thread Status:
Not open for further replies.