W32.Sobig.D@mm

Discussion in 'malware problems & news' started by Bowserman, Jun 18, 2003.

Thread Status:
Not open for further replies.
  1. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    From Symantec:

    "W32.Sobig.D@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in files with the following extensions:

    .wab
    .dbx
    .htm
    .html
    .eml
    .txt

    The email falsely purports that it is sent by admin@support.com

    Email Routine Details
    The email message has the following characteristics:

    From: admin@support.com (NOTE: W32.Sobig.D@mm spoofs this field. It could be any address.)

    Subject: The subject line will be one of the following:
    Re: Documents
    Re: App. 00347545-002
    Re: Movies
    Application Ref: 456003
    Re: Your Application (Ref: 003844)
    Re: Screensaver
    Re: Accepted
    Your Application

    Message Body: See the attached file for details

    Attachment: The attachment name will be one of the following:
    Document.pif
    app003475.pif
    movies.pif
    ref_456.pif
    Application844.pif
    Screensaver.scr
    Accepted.pif
    Applications.pif
    Application.pif

    NOTE: The worm de-activates on July 2, 2003, and therefore, the last day on which the worm will spread is July 1, 2003.


    Also Known As: I-Worm.Sobig.gen [KAV], W32/Sobig [McAfee]
    Type: Worm
    Infection Length: 57,856 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me


    When W32.Sobig.D@mm is executed, it performs the following actions:
    1. Copies itself as %Windir%cftrb32.exe.

    NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and copies itself to that location.

    2. Creates the following files to store an internal configuration data:

    %Windir%dftrn32.dat
    %Windir%rssp32.dat

    3. Adds the value:

    "SFtrb Service"="%Windir%cftrb32.exe"

    to the registry key:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

    so that W32.Sobig.D@mm runs when you start Windows.

    4. If the operating system is Windows NT/2000/XP, then the worm will also add the value:

    "SFtrb Service"="%Windir%cftrb32.exe"

    to the registry key:

    HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

    5. Counts the Network Resources and copies itself to the following folders:
    WindowsAll UsersStart MenuProgramsStartUp
    Documents and SettingsAll UsersStart MenuProgramsStartup

    6. Attempts to download data from particular Web pages.

    W32.Sobig.D@mm is also network-aware. It counts the network resources and copies itself to the following folders on other computers to which it has access:
    WindowsAll UsersStart MenuProgramsStartUp
    Documents and SettingsAll UsersStart MenuProgramsStartup"

    For more information go here: http://www.symantec.com/avcenter/

    Regards, Jade.
     
  2. ladyjeweler

    ladyjeweler Registered Member

    Joined:
    Feb 22, 2003
    Posts:
    23
    Location:
    North Carolina
    Thanks! I'm a Virus Mod at three boards and I didn't see that one this morning! Thanks again. :)

    Jeannie
     
Thread Status:
Not open for further replies.