FRISK Software International


Summary of W32/Sobig.B@mm
Alias:Palyh, Mankx
Discovered: 19 May 2003
Definition files: 19 May 2003
Risk Level: Medium
Distribution:Medium
Infection Method:Mass mailing and network shares
 
Jump to:
Brief description
Technical description

Brief Description
W32/Sobig.B@mm is a mass mailer that can copy itself over local network. It is UPX packed and is written in Visual C++.


Technical Description
The first thing the worm does after it has been executed is to copy itself to the windows directory under the following name
msccn32.exe

It creates the following registry keys to ensure that each time the computer is restarted the worm is executed.
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"System Tray = %WindowsDir%\msccn32.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"System Tray = %WindowsDir%\msccn32.exe"

The worm enumerates all the network drives and if the following folders are on the network drive it copies itself there.
Windows\All Users\Start Menu\Programs\StartUp
Documents and Settings\All Users\Start Menu\Programs\Startup

The worm searches the local drive for files with the following endings and harvests from them email addresses.
.wab
.dbx
.htm
.html
.eml
.txt

It uses its own SMTP engine to send the emails and composes the messages from the following objects. In the from field there is always
support@microsoft.com

Then the subject is chosen from the following list.
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Re: My details
Screensaver
Cool screensaver
Re: Movie
Re: My application

Message body is always:
All information is in the attached file.

And the attached file name is chosen from the following list:
your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif

The worm attempts to download four files from the internet. Currently the domain owner has closed these links so the worm is unable to do so.


Analysis / Description: Ragnar Gisli & Sigurdur A. Stefnisson FRISK Software international
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is