W32.Sobig.D@mm

From Symantec:

"W32.Sobig.D@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in files with the following extensions:

.wab
.dbx
.htm
.html
.eml
.txt

The email falsely purports that it is sent by admin@support.com

Email Routine Details
The email message has the following characteristics:

From: admin@support.com (NOTE: W32.Sobig.D@mm spoofs this field. It could be any address.)

Subject: The subject line will be one of the following:
Re: Documents
Re: App. 00347545-002
Re: Movies
Application Ref: 456003
Re: Your Application (Ref: 003844)
Re: Screensaver
Re: Accepted
Your Application

Message Body: See the attached file for details

Attachment: The attachment name will be one of the following:
Document.pif
app003475.pif
movies.pif
ref_456.pif
Application844.pif
Screensaver.scr
Accepted.pif
Applications.pif
Application.pif

NOTE: The worm de-activates on July 2, 2003, and therefore, the last day on which the worm will spread is July 1, 2003.


Also Known As: I-Worm.Sobig.gen [KAV], W32/Sobig [McAfee]
Type: Worm
Infection Length: 57,856 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me


When W32.Sobig.D@mm is executed, it performs the following actions:
1. Copies itself as %Windir%cftrb32.exe.

NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and copies itself to that location.

2. Creates the following files to store an internal configuration data:

%Windir%dftrn32.dat
%Windir%rssp32.dat

3. Adds the value:

"SFtrb Service"="%Windir%cftrb32.exe"

to the registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

so that W32.Sobig.D@mm runs when you start Windows.

4. If the operating system is Windows NT/2000/XP, then the worm will also add the value:

"SFtrb Service"="%Windir%cftrb32.exe"

to the registry key:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

5. Counts the Network Resources and copies itself to the following folders:
WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup

6. Attempts to download data from particular Web pages.

W32.Sobig.D@mm is also network-aware. It counts the network resources and copies itself to the following folders on other computers to which it has access:
WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup"

For more information go here: http://www.symantec.com/avcenter/

Regards, Jade.

 

Thanks! I'm a Virus Mod at three boards and I didn't see that one this morning! Thanks again.

Jeannie