Win32.Sobig.C@mm

( W32/Sobig.C@mm, Win32/Sobig.C@mm )

SYMPTOMS:

Presence of the files mscvb32.exe and msddr.dat in the %WINDIR% folder

The value "System MScvb" = "C:\WinNT\mcvb32.exe" in the registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

TECHNICAL DESCRIPTION:

Win32.Sobig.C@mm is an Internet worm that spreads trough e-mail and local shares.

It arrives in the following format:
From: bill@microsoft.com

Subject: randomly chosen from the following strings.

Re: Movie
Re: Submited (004756-3463)
Re: 45443-343556
Re: Approved
Approved
Re: Your application
Re: Application

Body:
Please see the attached file

Attachment: randomly chosen from the following strings

screensaver.scr
movie.pif
submited.pif
45443.pif
documents.pif
approved.pif
application.pif
document.pif

When the user open the attachment of an infected e-mail the worm copies itself in the %WIDOWS% directory under the following name: %WINDIR %\mscvb32.exe
It creates the file %WINDIR%\msddr.dat

In the registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

it adds the value: "System MScvb" = "C:\WinNT\mcvb32.exe".

It scans the hard drive for the following file types:

.wab
.dbx
.htm
.html
.eml
.txt

and it searches for the e-mail addresses inside those files. After this it sends itself to every e-mail found in the same format it arrives.

The worm searches trough network shares and it copies itself under the following folders:

Windows\All Users\Start Menu\Programs\StartUp
Documents and Settings\All Users\Start Menu\Programs\Startup

More information will be posted after further analysis.

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender Antisobig-en.exe tool does the following:

it detects all the known Sobig versions;

it deletes the files infected with Sobig;

it kills the process from memory;

it repairs the Windows registry.

You may also need to restore the affected files.

To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability.

ANALYZED BY:

Sorin Victor Dudea BitDefender Virus Researcher