Win32.Sobig.F@mm( W32/Sobig.F@mm )
SYMPTOMS: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX] with value %WINDIR%\winppr32.exe /sinc [HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX] with value %WINDIR%\winppr32.exe /sinc Winstt32.dat Winppr32.exe Winstf32.dll TECHNICAL DESCRIPTION: It arrives in e-mail in the following format:Subject: Randomly chosen from the following list: Re: That movie Re: Wicked screensaver Re: Your application Re: Approved Re: Re: My details Re: Details Your details Thank you! Re: Thank you! Body: Please see the attached file for details. or See the attached file for details Attachment: Randomly chosen from the following list: movie0045.pif wicked_scr.scr application.pif document_9446.pif details.pif your_details.pif thank_you.pif document_all.pif your_document.pif After the user opens the attachment the worm copies in the following location: %WINDIR%\winppr32.exe and adds the following registry keys: with value %WINDIR%\winppr32.exe /sinc with value %WINDIR%\winppr32.exe /sinc It searches for e-mails in the following file types: html wab mht hlp txt eml htm dbx The worm includes a thread that every one hour reads the time by connecting three times to public NTP (Network Time Protocol) servers from a hardcoded list; if the day of the week is Friday or Sunday and the hour is between 19:00 and 22:59, the worm tries to connect to several hardcoded hosts on UDP port 8998 in order to receive the location of a file to download and execute. The IP's of these hosts are: 68.50.208.96, 12.232.104.221, 218.147.164.29, 24.33.66.38, 12.158.102.205, 24.197.143.132, 24.206.75.137, 24.202.91.43, 24.210.182.156, 61.38.187.59, 65.92.80.218, 63.250.82.87, 65.92.186.145, 65.95.193.138, 65.93.81.59, 65.177.240.194, 66.131.207.81, 67.9.241.67, 68.38.159.161, 67.73.21.6 . Then it waits for the answer, it connects to the decoded answer and downloads a file – using the instruction UrlDownloadToCacheFileA. The virus executes the downloaded file directly using a CreateProcess instruction. The worm also spreads trough network shares. It stops spreading after 10.09.2003. Removal instructions: The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender Antisobig-en.exe tool does the following: You may also need to restore the affected files. To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables. If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability. ANALYZED BY: Sorin Dudea BitDefender Virus Researcher |