Description
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
- Existence of the file WINMGM32.EXE in the Windows directory, file size 65,536 bytes.
- Existence of the file SNTMLS.DAT in the Windows directory
- Existence of the file DWN.DAT in the Windows directory
Methods of Infection
At least one field sample AVERT has received was dropped by a multidropper package. This package dropped two files - a pornographic image (which is displayed) and the worm. The multidropper package is detected as MultiDropper-FB
with the 4242 DATs.
When run the worm installs itself into the Windows directory as WINMGM32.EXE. Two registry hooks are added to hook system startup, for example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM" = C:\WINDOWS\winmgm32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM" = C:\WINDOWS\winmgm32.exe
Email addresses harvested from the local machine are written to the file (confirmed via field reports, not observed in testing):
%WinDir%\SNTMLS.DAT
The worm retrieves a text file from a Geocities user page(http://www.geocities.com/reteras). At the time of writing, this file contained a single URL:
http://www.doesnotexist.com/blah.txt
If retrieved successfully, this URL is written to the file %WinDir%\DWN.DAT.
Since analysis started, the URL has been updated, and references a remote PE file which the worm subsequently attempts to download. This file is detected as BackDoor-AOT
with the 4242 DATs.
The worm contains the string:
Worm.X
Aliases
I-Worm.Sobig (AVP), W32.Sobig.A@mm (Symantec), W32/Sobig (Panda), W32/Sobig-A (Sophos), W32/Sobig@MM, Win32.Sobig (CA), WORM_SOBIG.A (Trend)