Virus Profile: W32/Sobig.f@MM

Virus Characteristics

-- Update September 22, 2003 --
The risk assessment was lowered to Low-Profiled.

This detection is for a new variant of W32/Sobig. In common with previous variants, the worm is written in MSVC, and bears the following characteristics:

• propagates via email, constructing outgoing messages with its own SMTP engine
• propagates over network shares (not confirmed during testing)

Note: The worm carries garbage data appended to end of file, so exact filesize and file checksum may vary.

Installation

The worm copies itself onto the victim machine as WINPPR32.EXE into %Windir%, for example:

A configuration file is also dropped to %Windir%:

The following Registry keys are added to hook system startup:

Mail Propagation

The worm mails itself to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files with the following extensions:

• DBX
• HLP
• MHT
• WAB
• EML
• TXT
• HTM
• HTML

Outgoing messages are constructed as follows:

From: (may be admin@internet.com but could be virtually any address)

Subject:

• Your details
• Thank you!
• Re: Thank you!
• Re: Details
• Re: Re: My details
• Re: Approved
• Re: Your application
• Re: Wicked screensaver
• Re: That movie

Attachment:

• your_document.pif
• document_all.pif
• thank_you.pif
• your_details.pif
• details.pif
• document_9446.pif
• application.pif
• wicked_scr.scr
• movie0045.pif

Body:

• See the attached file for details
• Please see the attached file for details

The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.

The attachment must be run manually to infect the local system.  Additionally, messages sent by the virus contain the following fields (note, these are commonly found in valid email messages):

• X-MailScanner: Found to be clean
• X-Mailer: Microsoft Outlook Express 6.00.2600.0000

The virus sends itself via its own SMTP engine, which requires an ESMTP server to send itself successfully.  The virus does an MX lookup on the target domain (ie. when sending itself to user@domain.com, it sends though the servers specified in the MX record for domain.com).

Contacting Remote NTP Servers

The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination UDP port 123).

• 200.68.60.246
• 62.119.40.98
• 150.254.183.15
• 132.181.12.13
• 193.79.237.14
• 131.188.3.222
• 131.188.3.220
• 193.5.216.14
• 193.67.79.202
• 133.100.11.8
• 193.204.114.232
• 138.96.64.10
• chronos.cru.fr
• 212.242.86.186
• 128.233.3.101
• 142.3.100.2
• 200.19.119.69
• 137.92.140.80
• 129.132.2.21

The worm obtains the UTC time from one of these servers which is used by the worm to determine when to attempt to download remote file(s).

Self-Termination

In common with previous W32/Sobig variants, this variant contains a date triggered self-termination routine. If the date is September 10th 2003 or later, the worm will no longer propagate.

Downloading Functionality

The worm is capable of retrieving file(s) from a remote server - the specific URL of which is controlled by the author, and is issued in response to data sent from infected machines.

At a specific time (as determined via NTP), the worm sends data from infected machines to a number of remote systems on UDP port 8998:

• 12.158.102.205
• 12.232.104.221
• 218.147.164.29
• 24.197.143.132
• 24.202.91.43
• 24.206.75.137
• 24.210.182.156
• 24.33.66.38
• 61.38.187.59
• 63.250.82.87
• 65.177.240.194
• 65.92.186.145
• 65.92.80.218
• 65.93.81.59
• 65.95.193.138
• 66.131.207.81
• 67.73.21.6
• 67.9.241.67
• 68.38.159.161
• 68.50.208.96

The specific time condition for this event is between 19:00 - 22:00 (UTC) on a Friday or Sunday.  These IP addresses are in the process of trying to be shutdown.