Virus Database

I-Worm.Sobig.b (aka Palyh)

Description I-Worm.Sobig.b (aka Palyh)

Sobig.b is a worm virus spreading via the Internet as an e-mail attachment. The worm also spreads across local area networks.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and compressed by UPX. The file size is about 50KB when compressed (UPX). The decompressed size is about 110KB.
The worm activates from infected email only if a user clicks on the attached file.
When run the worm installs itself to the system and runs its spreading routine.
Installing
While installing the worm copies itself to the Windows directory under the name msccn32.exe and registers itself in the system registry auto-run keys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
System Tray = %WindowsDir%msccn32.exe

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
System Tray = %WindowsDir%msccn32.exe

Because of a bug the worm in some cases copies itself to the wrong directoris (root drive, current directory), but anyway its spreading routines will activate upon the next computer restart.
Spreading: email
To send out infected messages the worm uses a direct connection to the default SMTP server. To get victim email addresses the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives, then retrieves email-like strings from the files that are found.
Following are possible message characteristics:
From:

support@microsoft.com


Subject:

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your
Message Body:

All information is in the attached file.

Attached file name:

your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif

The worm also creates the file hnks.ini in the Windows directory and writes the found email addresses to this file.
Spreading via network
The worm deciphers all accessible network resources (other computers in a network) and copies itself to the auto-start directoris (if there are such subdirectories) of eligible machines.
WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup

Updating
The worm downloads files from four Web places (that are "hardcoded" in the worm's body) and executes them. As a result the worm is able to update itself with new versions, and/or install other applications (trojan programs, for example).
Other
All worm routines (except "Updating") are active till May 31, 2003. Meaning the worm does not run its spreading (both email and network) routines after May 31, 2003.

Check other viruses! Be aware! Use Antiviral Software

Cracky.546.a

Description Cracky.546.a

This is a memory resident parasitic virus. It writes the TSR part into the DOS data area, hooks INT 21h and infects by a standard manner the COM files upon their execution. It contains the mask string "*.com". It sometimes types "Cracky !".

Cracky.596

Description Cracky.596

This is a memory resident parasitic virus. It writes the TSR part into the DOS data area, hooks INT 21h and infects by a standard manner the COM files upon their execution. It contains the mask string "*.com". On April, 1st it erases the disk C: FAT sectors, it also contains the text "Milena".

Home