Virus Profile: W32/Sobig.b@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Medium | Corporate Medium
Date Discovered: 5/18/2003
Date Added: 5/18/2003
Origin: Unknown
Length: approx. 58 KBytes
Type: Virus
Subtype: Internet Worm
DAT Required: 4265
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of the files and Registry keys detailed above.

Methods of Infection

This worm propagates via email and network shares.

The worm contains a routine which retrieves and checks the system date/time. If the date matches 31st May 2003 (or later), the worm no longer propagates (it will successfully install itself on target machines however).

Aliases

I-Worm.Sobig.b (AVP), W32.HLLW.Mankx@mm (NAV) , W32.Sobig.B@mm (NAV), W32/Palyh (Panda), W32/Palyh-A (Sophos), W32/Palyh@MM, W32/Sobig.b@MM, W32/Sobig.B@mm (F-Prot), Win32.HLLM.Reteras.2 (Dialogue Sci) , Win32.Palyh.A (CA), WORM_PALYH.A (Trend)
   

Virus Characteristics

-- Update 05/21/03 --

Starting from the 4266 DATs (released 05/21/03), this virus has been renamed from W32/Palyh@MM to W32/Sobig.b@MM in order to correctly identify it as a new variant of W32/Sobig@MM.

-- Update 05/18/03 --

Detection and cleaning for this worm is included in the 4265 DATs, which have been released today.

This worm bears strong similarities to W32/Sobig@MM. It is written in MSVC and is packed with UPX. The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.

Mail Propagation

The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. This may cause certain mail clients to remove a character from the remaining filename, thus attachments may have a ".PI" extension (as opposed to ".PIF").

Target email addresses are extracted from files on the victim machine with the following extensions:

  • WAB
  • DBX
  • HTM
  • HTML
  • EML
  • TXT

The worm may arrive in an email with the following characteristics:

From: support@microsoft.com

Subject:

  • Re: My application
  • Re: Movie
  • Cool screensaver
  • Screensavers
  • Re: My details
  • Your password
  • Re: Approved (Ref: 3394-65467)
  • Approved (Ref: 38446-263)
  • Your details

Attachment:

Note: As mentioned above, the file extension may be truncated to .PI instead of the intended .PIF.

  • approved.pif
  • ref-394755.pif
  • password.pif
  • ref-394755.pif
  • application.pif
  • screen_doc.pif
  • screen_temp.pif
  • movie28.pif
  • download1053122425102485703.uue
  • doc_details.pif
  • _approved.pif

Message Body:

All information is in the attached file.

Share Propagation

The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible:

  • \Documents and Settings\All Users\Start Menu\Programs\Startup\
  • \Windows\All Users\Start Menu\Programs\Startup\

Installation

Upon execution, the worm drops the following files into the %windir% directory:

  • "msccn32.exe" (approx 50kB) (a copy of itself)
  • "hnks.ini" (configuration file)
  • "mdbrr.ini" (configuration file)

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"System Tray" = %WinDir%\msccn32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System Tray" = %WinDir%\msccn32.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95