|
|
I-Worm.Sobig. Viruses Information
| Name: |
I-Worm.Sobig. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Sobig.e
Sobig.e is a worm virus spreading via the Internet as a file attached to infected emails. The Sobig.e worm also spreads through open network shares.
The worm itself is a Windows PE EXE file that is written in Microsoft Visual C++ and is compressed by the TeLock utility. Its file sizes are typically around 80K and above when compressed(TeLock), while its decompressed size is about 130K.
Separating Sobig.e from its four predecessors is its use of the Zip file format, what it does after system infection is virtual identical to past Sobig variants.
The Sobig.e worm activates from an infected email only when a user clicks on or unzips the attached file depending on the attachment's specific format.
When run the worm installs itself to the system and runs its spreading routine.
Installing
While installing the worm copies itself to the Windows directory under the name winssk32.exe and registers itself in the system registry auto-run keys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
SSK Service = %WindowsDir%winssk32.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SSK Service = %WindowsDir%winssk32.exe
Spreading: email
To send infected messages the worm uses a via a built-in SMTP engine. To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, and .WAB files in all directrories on all available local drives. From the files it finds Sobig.e retrieves email-like strings.
Below are variations of Sobig.e message content:
The "From" field has fake email address (found on the infected machine) or "support@yahoo.com"
Subject:
"Re: Movie"
"Re: Movies"
"Re: Submited (Ref: 003746)"
"Re: Screensaver"
"Re: Documents"
"Re: Re: Application ref. 003644"
"Re: Re: Document"
"Your application"
Message Body:
'Please see the attached zip file for details.'
Attached file name:
"details.pif"
"application.zip"
"application.pif"
"document.zip"
"document.pif"
"screensaver.zip"
"sky_world.scr"
"Movie.zip"
"Movie.pif"
The files with the "zip" extension are archives that contain the worm's executable file.
The worm also creates the file msrrf.dat in the Windows directory and writes to this file the email addresses that were found on an infected machine.
Spreading: via network
The worm takes note of all accessible network resources (other computers in a network) and copies itself to the auto-start directoris (if there are such subdirectories) of each resource (computer) found.
WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup
Updating
The worm opens network connections on ports 995, 996, 997, 998, and 999, and then takes commands from its "master", and receives data from its "master". The data comes in the form of some URLs. The worm downloads files from these URLs and executes them. As a result the worm is able to "upgrade" itself with new versions, and/or to install other applications (trojan programs for example).
Other
All worm routines (except "Updating" - see above) are active until July 14, 2003. This means the worm does not run its spreading (both email and network) routines after July 14, 2003. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Dashel.180
Frogalley.150
I-Worm.FireBur
I-Worm.Mydoom.
DST Famil
Strategy.48
Advent.Cookie.223
BadBoy.1074.
Soldier.54
Trojan-Downloader.Win32.Small.y
|
|
