Virus Profile: W32/Sobig.c@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Medium | Corporate Medium
Date Discovered: 5/31/2003
Date Added: 5/31/2003
Origin: Unknown
Length: 59,211 bytes
Type: Virus
Subtype: E-mail worm
DAT Required: 4268
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of the file mscvb32.exe in the WINDOWS (%WinDir%) directory

Methods of Infection

This worm propagates via email and network shares.

The worm contains a routine which retrieves and checks the system date/time. If the date matches 8th June 2003 (or later), the worm no longer propagates (it will successfully install itself on target machines however).

Aliases

W32.Sobig.C@mm (Symantec), W32/Sobig.C@mm (F-Secure), W32/Sobig.dam, WORM_SOBIG.C (Trend)
   

Virus Characteristics

-- Update June 01, 2003 --
Due to an increase in prevalence over the past 24 hours, the risk assessment of this threat has been upgraded to Medium.

A new variant of the W32/Sobig virus has been discovered on 31st May 2003.

This variant is detected as W32/Sobig.dam in the 4267 DATs (released 28th May 2003). McAfee customers who updated to this version of DATs, or above, are therefore protected from this new variant.

This worm in similar to W32/Sobig.b@MM.The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.

Mail Propagation

The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. With certain mail server products, this may result in the loss of a character from the remaining filename, thus attachments may have a ".PI" extension (as opposed to ".PIF").

Target email addresses are extracted from files on the victim machine with the following extensions:

  • WAB
  • DBX
  • HTM
  • HTML
  • EML
  • TXT

The worm may arrive in an email with the following characteristics:

From: bill@microsoft.com * (could be any address, see note below)
Subject: (one of the following)

  • Approved
  • Re: 45443-343556
  • Re: Application
  • Re: Approved
  • Re: Movie
  • Re: Screensaver
  • Re: Submited (004756-3463)
  • Re: Your application

Attachment: (one of the following)

Note: As mentioned above, the file extension may be truncated to .PI instead of the intended .PIF.

  • 45443.pif
  • application.pif
  • approved.pif
  • document.pif
  • documents.pif
  • movie.pif
  • screensaver.scr
  • submited.pif
Message Body: Please see the attached file.

* Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is likely not a pointer to the infected user.

Share Propagation

The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible:

  • \Documents and Settings\All Users\Start Menu\Programs\Startup\
  • \Windows\All Users\Start Menu\Programs\Startup\

Installation

Upon execution, the worm drops the following files into the %windir% directory:

  • "mscvb32.exe" (approx 50kB) (a copy of itself)
  • "msddr.dat" (configuration file)

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"System MScvb" = %WinDir%\mscvb32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System MScvb" = %WinDir%\mscvb32.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

   

Detection is included in the released 4267 DAT files as W32/Sobig.dam. The 4268 DAT files contain detection and removal as W32/Sobig.c@MM.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the 4.1.60+ engine and 4268 DATs+.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode)
  2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
    • mscvb32.exe
    • msddr.dat
  3. Delete unusual executables from the following folders:
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    • C:\Windows\All Users\Start Menu\Programs\Startup\
  4. Edit the registry
    • Delete the "System MScvb" value from
      1. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
      2. "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
  5. Reboot the system

Additional Windows ME/XP removal considerations