Aliases

Email-Worm.Win32.Sobig.a (Kaspersky Lab) is also known as: I-Worm.Sobig.a (Kaspersky Lab), W32/Sobig.a@MM (McAfee),   W32.Sobig.A@mm (Symantec),   Win32.HLLM.Reteras (Doctor Web),   W32/Sobig-A (Sophos),   Win32/Sobig.A@mm (RAV),   WORM_SOBIG.A (Trend Micro),   Worm/Sobig.A (H+BEDV),   W32/Sobig.A@mm (FRISK),   Win32:Sobig (ALWIL),   I-Worm/Sobig.A (Grisoft),   Win32.Sobig.A@mm (SOFTWIN),   Worm.Sobig.A (ClamAV),   W32/Sobig (Panda),   Win32/Sobig.A (Eset)

Description added	May 27 2003
Behavior	Email Worm

Technical details

Sobig is a worm virus spreading via the Internet as an attachment to infected emails. It also downloads and sets up a Backdoor program.

The worm itself is a Windows PE EXE file about 64 KB in length (when compressed by TeLock), and written in Microsoft Visual C++.

Infected messages have the following characteristics:

 From:
  big@boss.com  

 Subject: (one of the following)
  Re: Movies 
  Re: Sample 
  Re: Document 
  Re: Here is that sample 

 Attachment: (one of the following)
  Movie_0074.mpeg.pif 
  Document003.pif 
  Untitled1.pif 
  Sample.pif 

The worm activates from infected email only if a user clicks on the attached file. Once run it installs itself to the system, runs a spreading routine and payload.

Installing

While installing the worm copies itself to the Windows directory under the name WINMGM32.EXE and registers this file in the system registry auto-run key.

 HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 "WindowsMGM" = \winmgm32.exe 

 HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 "WindowsMGM" = \winmgm32.exe 

Spreading via E-mail

To send infected messages the worm uses the SMTP server. The worm looks for files with the following extensions - *.WAB, *.DBX, *.HTM, *.HTML, *.EML, *.TXT scans them for email strings.

Spreading via Local Network

The worm enumerates network shares and tries to copy itself to one of the following folders under the name WINMGM32.EXE.

 Windows\All Users\Start Menu\Programs\StartUp\
 Documents and Settings\All Users\Start Menu\Programs\Startup\

Set-up for the Backdoor Program

The worm downloads a text file that contains a link to the executable PE file. The worm downloads it into the Windows directory under the DWN.DAT name and runs it.

The worm contains the following text strings:

 B.ROOT-SERVERS.NET  A.ROOT-SERVERS.NET
 a+  \   %s
 big@boss.com    
 [A-Za-z0-9]+[A-Za-z0-9_.-]+@(([A-Za-z0-9\-])+[.])+[A-Za-z]+ 
 *.* x:\ From <%s> "%s" To  Subject Date %s %s %c%4.4d H:mm:ss ddd, d MMM yyyy Importance
 Microsoft Outlook Express 6.00.2600.0000 X-Mailer Normal X-MSMail-Priority
3 (Normal)  
 X-Priority  ; filename="  attachment  inline  Content-Disposition:    
 Content-Transfer-Encoding: %s ; name="%s" Content-Type: %s    Content Type
application/octet-stream --%s --%s-- Content-ID: <%s>  Content-Transfer-Encoding:  ;
 charset="%s"    text/   Content-Type: -- --%s Content-Type: multipart/alternative;
boundary="%s" CSmtpMsgPart123X456_001_%8.8X %s  This is a multipart 
 message in MIME format  %s: %s Message-ID  1.0 MIME-Version    "   ; 
 boundary="  mixed   alternative related multipart/  
 CSmtpMsgPart123X456_000_%8.8X   Content- 
 Type    =  =%2.2X   -;.,?! Encoding took %dms ...    7bit    8bit    
 quoted-printable    base64  SMTP    tcp text/plain  iso-8859-1  QUIT 
 EHLO %s  %s  Password:   Username:   AUTH LOGIN  MAIL FROM: <%s>  RCPT TO: <%s>.
 DATA http://www.geocities.com/reteras/reteral.txt  0   Hello   Attached 
 file:  Movie_0074.mpeg.pif Document003.pif Untitled1.pif   Sample.pif  Re:
Movies  Re: Sample  Re: Document    Re: Here is that sample 2003.1.23   
 Ret code: %d    sntmls.dat  dwn.dat r   Windows\All Users\Start 
 Menu\Programs\StartUp\  Documents and Settings\All Users\Start 
 Menu\Programs\Startup\   $\  @pager.icq.com  mail@mail.com   Notify  
 pager.icq.com    start  WindowsMGM  
 SOFTWARE\Microsoft\Windows\CurrentVersion\Run   wab dbx htm html eml txt 
 Worm.X  winmgm32.exe Worm.X