Win32.SoBig.E@mm( W32/Sobig.e@MM (McAfee), WORM_SOBIG.E (Trend), W32/Sobig-E (Sophos) )
SYMPTOMS: winssk32.exe msrrf.dat [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"SSKService"= "%WINDOWS%\winssk32.exe"] [KKCU\Software\Microsoft\Windows\CurrentVersion\Run\"SSKService"= "%WINDOWS%\winssk32.exe"] where %WINDOWS% points to windows folder. TECHNICAL DESCRIPTION: Similar to Win32.Sobig.D@mm, this mass mailer spreads through e-mail and network shares. It will de-activate itself on July 14 2003.The infected e-mails look like this: From: support@yahoo.com (usually, but it can be any e-mail address) Subject is chosen from the following: 004448554.pif Application.pif Applications.pif movie.pif new document.pif Referer.pif Screensaver.scr submited.pif Your application Re: Application Re: document.pif Re: Documents Re: Movie Re: Movies Re: ScRe:ensaver Re: Submitted Re: Re: Application ref 003644 Re: Re: Document Body: Please see the attached zip file for details. Attachment can be: application.zip (containingapplication.pif) document.zip(containingdocument.pif) Movie.zip (containingMovie.pif) screensaver.zip (containingsky_world.scr) Your_details.zip(containingdetails.pif) Once executed, the virus will create a copy of itself as winssk32.exe and also a configuration file, msrrf.dat both in Windows folder. Then it creates the aforementioned registry keys in order to run every time at Windows startup. Then, it searches for files matching .wab, .dbx, .htm, .html, .eml, .txt and harvests e-mail addresses. It features it's own SMTP engine thus it sends zipped copies of itself to the harvested e-mail addresses. It also spreads through network shares and attempts to place copies of itself in: C:\Windows\All Users\Start Menu\Programs\Startup\ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Due to a bug in the virus, the last letter in the attachment's name may be missing (example: Your_details.zi) Removal instructions: The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender Antisobig-en.exe tool does the following: You may also need to restore the affected files. To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables. If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability. ANALYZED BY: Patrick Vicol BitDefender Virus Researcher |