maclean opened this issue on Aug 19, 2003 ยท 42 posts
Xena posted Tue, 19 August 2003 at 5:36 PM
Attached Link: http://www3.ca.com/virusinfo/virus.aspx?ID=36376
Virus Alert Notification Win32.Sobig.F Alias: I-Worm.Sobig.f (Kaspersky) , W32.Sobig.F@mm (Symantec), W32/Sobig.F (F-Secure), W32/Sobig.f@MM (McAfee), WORM_SOBIG.F (Trend) Category: Win32 Type: Worm Published Date: 8/19/2003 Last Modified: 8/19/2003 CHARACTERISTICS Win32.Sobig.F is a worm which spreads via e-mail using its own SMTP engine. Method of Distribution Via Email It arrives in a message with one of the following subjects: Re: Thank you! Thank you! Your details Re: Details Re: Re: My details Re: Approved Re: Your application Re: Wicked screensaver Re: That movie The attachment name is chosen at random from the following list: your_document.pif document_all.pif thank_you.pif your_details.pif details.pif document_9446.pif application.pif wicked_scr.scr movie0045.pif The message body reads either: Please see the attached file for details. or See the attached file for details The worm is reported to spoof the 'From' address, so that it appears to come from a different address than that of the affected machine. The worm appears to search files with the following extensions for e-mail addresses to send to: txt eml html htm dbx wab Method of Installation When run, the worm copies itself to the Windows directory with the following file name: %Windows%WINPPR32.EXE It also creates another file in the Windows directory: %Windows%WINSTT32.DAT Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:Winnt; for 95,98 and ME is C:Windows; and for XP is C:Windows. It then creates the following registry values so WINPPR32.EXE runs whenever Windows starts: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunTrayX = "C:WINDOWSwinppr32.exe /sinc" HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunTrayX = "C:WINDOWSwinppr32.exe /sinc" Note: These registry values are only set if the keys already exist. For example, the second value might not be created on Windows 98 systems because the key HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun does not usually exist. Additional Information The worm is coded to stop replicating as of 10th September 2003.