Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.Sobig.b

Other versions: .a, .c, .e, .f

Aliases
Email-Worm.Win32.Sobig.b (Kaspersky Lab) is also known as: I-Worm.Sobig.b (Kaspersky Lab), W32/Sobig.b@MM (McAfee),   W32.Sobig.B@mm (Symantec),   Win32.HLLM.Reteras (Doctor Web),   W32/Sobig-B (Sophos),   Win32/Sobig.B@mm (RAV),   WORM_SOBIG.B (Trend Micro),   Worm/Sobig.B (H+BEDV),   W32/Sobig.B@mm (FRISK),   Win32:Sobig-B (ALWIL),   I-Worm/Sobig.B (Grisoft),   Win32.Sobig.B@mm (SOFTWIN),   Worm.Palyh.A (ClamAV),   W32/Sobig.B (Panda),   Win32/Sobig.B (Eset)
Description added May 19 2003
Behavior Email Worm
Technical details
This is a worm virus spreading via the Internet as a file attachment to infected emails. The worm also spreads via local area networks.

The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and is compressed by UPX. File size ranges from 50KB (UPX) and above - the decompressed size is 110KB and above.

The worm activates from infected email only when a user clicks on the attached file.

When run the worm installs itself to the system and runs its spreading routine.

Installing

While installing the worm copies itself to the Windows directory under the "msccn32.exe" name and registers itself in the system registry auto-run keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
Because of a bug the worm in some cases copies itself to the wrong directories (root drive, current directory), but despite this, its spreading routines will activate upon the next computer restart.

Spreading via email

To send infected messages the worm uses a direct connection to the default SMTP server. To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directories on all available local drives. Palyh then gets email-like strings from files the files that are found.


Messages contain the following attributes:

From:

support@microsoft.com
Subject:

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details
Message Body:

All information is in the attached file.
Attached file name:

your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif
The worm also creates a file named "hnks.ini" in the Windows directory and writes to this file the email addresses that were found on an infected machine.

Spreading via network

The worm enumerates all accessible network resources (other computers in a network) and copies itself to into the present auto-run directories.

Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\
Updating

The worm downloads files from four Web addresses (they are "hardcoded" in the worm body) and executes them. As a result the worm is able to "upgrade" itself with new versions, and/or install other applications (trojan programs, for example).

Other

All worm routines (except "Updating" - see above) are active until May 31, 2003. Meaning, the worm does not run its spreading (both email and network) routines after May 31, 2003.

 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com