W32.Sobig.C@mm

Discussion in 'malware problems & news' started by Randy_Bell, Jun 1, 2003.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Symantec Security Response - W32.Sobig.C@mm

    W32.Sobig.C@mm is a mass-mailing worm that sends itself to all the email addresses, purporting to have been sent by Microsoft (bill@microsoft.com). The worm finds the addresses in the files with the following extensions:

    • .wab
      .dbx
      .htm
      .html
      .eml
      .txt
    Email Routine Details
    The email message has the following characteristics:

    From: bill@microsoft.com

    Subject: The subject line will be one of the following:

    • Re: Movie
      Re: Submited (004756-3463)
      Re: 45443-343556
      Re: Approved
      Approved
      Re: Your application
      Re: Application
    Message Body: Please see the attached file.

    Attachment: The attachment name will be one of the following:

    • screensaver.scr
      movie.pif
      submited.pif
      45443.pif
      documents.pif
      approved.pif
      application.pif
      document.pif
    NOTE: The worm de-activates on June 8, 2003, and therefore, the last day on which the worm will spread is June 7, 2003.

    Also Known As: W32/Sobig.c@MM [McAfee], Win32/Sobig.C [ESET]
    Type: Worm
    Infection Length: About 59kb
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux

    technical details

    When W32.Sobig.C@mm is executed, it performs the following actions:

    • 1. Copies itself as %Windir%\mscvb32.exe.

      NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and copies itself to that location.

      2. Creates the following files:

      • %Windir%\msddr.dll
        %Windir%\msddr.dat

      3. Adds the value:

      "System MScvb"="%Windir%\mscvb32.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that W32.Sobig.C@mm runs when you start Windows.

      4. If the operating system is Windows NT/2000/XP, then the worm will also add the value:

      "System MScvb"="%Windir%\mscvb32.exe"

      to the registry key:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      5. Counts out the Network Resources and copies itself to the following folders:

      • Windows\All Users\Start Menu\Programs\StartUp
        Documents and Settings\All Users\Start Menu\Programs\Startup

      6. Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in the aforementioned .ini files.

      W32.SobigC@mm is also network-aware. It counts out the network resources and copies itself to the following folders on other computers to which it has access:

      • Windows\All Users\Start Menu\Programs\StartUp
        Documents and Settings\All Users\Start Menu\Programs\Startup

    {See above link for detection and removal instructions}
     
Thread Status:
Not open for further replies.