Virus Database

I-Worm.Sobig

Description I-Worm.Sobig

Sobig is a worm virus spreading via the Internet as an attachment to infected emails. It also downloads and sets up a Backdoor program.
The worm itself is a Windows PE EXE file about 64 KB in length (when compressed by TeLock), and written in Microsoft Visual C++.
Infected messages have the following characteristics:
From:
big@boss.com

Subject: (one of the following)
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample

Attachment: (one of the following)
Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif

The worm activates from infected email only if a user clicks on the attached file. Once run it installs itself to the system, runs a spreading routine and payload.
Installing
While installing the worm copies itself to the Windows directory under the name WINMGM32.EXE and registers this file in the system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
"WindowsMGM" = winmgm32.exe

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
"WindowsMGM" = winmgm32.exe

Spreading via E-mail
To send infected messages the worm uses the SMTP server. The worm looks for files with the following extensions - *.WAB, *.DBX, *.HTM, *.HTML, *.EML, *.TXT scans them for email strings.
Spreading via Local Network
The worm enumerates network shares and tries to copy itself to one of the following folders under the name WINMGM32.EXE.
WindowsAll UsersStart MenuProgramsStartUp Documents and SettingsAll UsersStart MenuProgramsStartup
Set-up for the Backdoor Program
The worm downloads a text file that contains a link to the executable PE file. The worm downloads it into the Windows directory under the DWN.DAT name and runs it.
The worm contains the following text strings:
B.ROOT-SERVERS.NET A.ROOT-SERVERS.NET
a+ %s
big@boss.com
[A-Za-z0-9]+[A-Za-z0-9_.-]+@(([A-Za-z0-9-])+[.])+[A-Za-z]+
*.* x: From <%s> "%s" To Subject Date %s %s %c%4.4d H:mm:ss ddd, d MMM yyyy Importance
Microsoft Outlook Express 6.00.2600.0000 X-Mailer Normal X-MSMail-Priority 3 (Normal)
X-Priority ; filename=" attachment inline Content-Disposition:
Content-Transfer-Encoding: %s ; name="%s" Content-Type: %s Content Type
application/octet-stream --%s --%s-- Content-ID: <%s> Content-Transfer-Encoding: ;
charset="%s" text/ Content-Type: -- --%s Content-Type: multipart/alternative;
boundary="%s" CSmtpMsgPart123X456_001_%8.8X %s This is a multipart
message in MIME format %s: %s Message-ID 1.0 MIME-Version " ;
boundary=" mixed alternative related multipart/
CSmtpMsgPart123X456_000_%8.8X Content-
Type = =%2.2X -;.,?! Encoding took %dms all 7bit 8bit
quoted-printable base64 SMTP tcp text/plain iso-8859-1 QUIT
EHLO %s %s Password: Username: AUTH LOGIN MAIL FROM: <%s> RCPT TO: <%s>.
DATA http://www.geocities.com/reteras/reteral.txt 0 Hello Attached
file: Movie_0074.mpeg.pif Document003.pif Untitled1.pif Sample.pif Re:
Movies Re: Sample Re: Document Re: Here is that sample 2003.1.23
Ret code: %d sntmls.dat dwn.dat r WindowsAll UsersStart
MenuProgramsStartUp Documents and SettingsAll UsersStart
MenuProgramsStartup $ @pager.icq.com mail@mail.com Notify
pager.icq.com start WindowsMGM
SOFTWAREMicrosoftWindowsCurrentVersionRun wab dbx htm html eml txt
Worm.X winmgm32.exe Worm.X

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Sobig

Description I-Worm.Sobig

Sobig is a worm virus spreading via the Internet as an attachment to infected emails. It also downloads and sets up a Backdoor program.
The worm itself is a Windows PE EXE file about 64 KB in length (when compressed by TeLock), and written in Microsoft Visual C++.
Infected messages have the following characteristics:
From:
big@boss.com

Subject: (one of the following)
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample

Attachment: (one of the following)
Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif

The worm activates from infected email only if a user clicks on the attached file. Once run it installs itself to the system, runs a spreading routine and payload.
Installing
While installing the worm copies itself to the Windows directory under the name WINMGM32.EXE and registers this file in the system registry auto-run key.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
"WindowsMGM" = winmgm32.exe

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
"WindowsMGM" = winmgm32.exe

Spreading via E-mail
To send infected messages the worm uses the SMTP server. The worm looks for files with the following extensions - *.WAB, *.DBX, *.HTM, *.HTML, *.EML, *.TXT scans them for email strings.
Spreading via Local Network
The worm enumerates network shares and tries to copy itself to one of the following folders under the name WINMGM32.EXE.
WindowsAll UsersStart MenuProgramsStartUp Documents and SettingsAll UsersStart MenuProgramsStartup
Set-up for the Backdoor Program
The worm downloads a text file that contains a link to the executable PE file. The worm downloads it into the Windows directory under the DWN.DAT name and runs it.
The worm contains the following text strings:
B.ROOT-SERVERS.NET A.ROOT-SERVERS.NET
a+ %s
big@boss.com
[A-Za-z0-9]+[A-Za-z0-9_.-]+@(([A-Za-z0-9-])+[.])+[A-Za-z]+
*.* x: From <%s> "%s" To Subject Date %s %s %c%4.4d H:mm:ss ddd, d MMM yyyy Importance
Microsoft Outlook Express 6.00.2600.0000 X-Mailer Normal X-MSMail-Priority 3 (Normal)
X-Priority ; filename=" attachment inline Content-Disposition:
Content-Transfer-Encoding: %s ; name="%s" Content-Type: %s Content Type
application/octet-stream --%s --%s-- Content-ID: <%s> Content-Transfer-Encoding: ;
charset="%s" text/ Content-Type: -- --%s Content-Type: multipart/alternative;
boundary="%s" CSmtpMsgPart123X456_001_%8.8X %s This is a multipart
message in MIME format %s: %s Message-ID 1.0 MIME-Version " ;
boundary=" mixed alternative related multipart/
CSmtpMsgPart123X456_000_%8.8X Content-
Type = =%2.2X -;.,?! Encoding took %dms all 7bit 8bit
quoted-printable base64 SMTP tcp text/plain iso-8859-1 QUIT
EHLO %s %s Password: Username: AUTH LOGIN MAIL FROM: <%s> RCPT TO: <%s>.
DATA http://www.geocities.com/reteras/reteral.txt 0 Hello Attached
file: Movie_0074.mpeg.pif Document003.pif Untitled1.pif Sample.pif Re:
Movies Re: Sample Re: Document Re: Here is that sample 2003.1.23
Ret code: %d sntmls.dat dwn.dat r WindowsAll UsersStart
MenuProgramsStartUp Documents and SettingsAll UsersStart
MenuProgramsStartup $ @pager.icq.com mail@mail.com Notify
pager.icq.com start WindowsMGM
SOFTWAREMicrosoftWindowsCurrentVersionRun wab dbx htm html eml txt
Worm.X winmgm32.exe Worm.X

I-Worm.Sobig.b

Description I-Worm.Sobig.b
This is a worm virus spreading via the Internet as a file attachment to infected emails. The worm also spreads via local area networks.

The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and is compressed by UPX. File size ranges from 50KB (UPX) and above - the decompressed size is 110KB and above.

The worm activates from infected email only when a user clicks on the attached file.

When run the worm installs itself to the system and runs its spreading routine.

Installing

While installing the worm copies itself to the Windows directory under the "msccn32.exe" name and registers itself in the system registry auto-run keys:


HKCUSoftwareMicrosoftWindowsCurrentVersionRun
System Tray = %WindowsDir%msccn32.exe

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
System Tray = %WindowsDir%msccn32.exe
Because of a bug the worm in some cases copies itself to the wrong directories (root drive, current directory), but despite this, its spreading routines will activate upon the next computer restart.

Spreading via email

To send infected messages the worm uses a direct connection to the default SMTP server. To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directories on all available local drives. Palyh then gets email-like strings from files the files that are found.




Messages contain the following attributes:

From:


support@microsoft.com
Subject:


Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your Message Body:


All information is in the attached file.
Attached file name:


your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif
The worm also creates a file named "hnks.ini" in the Windows directory and writes to this file the email addresses that were found on an infected machine.

Spreading via network

The worm enumerates all accessible network resources (other computers in a network) and copies itself to into the present auto-run directories.


WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup
Updating

The worm downloads files from four Web addresses (they are "hardcoded" in the worm body) and executes them. As a result the worm is able to "upgrade" itself with new versions, and/or install other applications (trojan programs, for example).

Other

All worm routines (except "Updating" - see above) are active until May 31, 2003. Meaning, the worm does not run its spreading (both email and network) routines after May 31, 2003.

Home