|  | ||||||||||||||||||||||||||||||||
Name: W32.Sobig.D@mm
Aliases: W32/Sobig.d@MM,W32/Sobig-D,I-Worm.SoBig-C,Win32.HLLM.Reteras Variants: Type: Internet Worm Platforms: Windows 32-bit Status: in the wild Threat: V-CON 2 (low) The following has been derived from information provided by Symantec, Network Associates, Panda, Kaspersky Labs, and Sophos. Virus Characteristics W32.Sobig.D@mm is very similar to the other variants of SoBig. It is written in Microsoft Visual C++. Infected copies are 57,856 bytes in size and compressed with UPX. It uses its own SMTP engine and spreads via network shares. It will e-mail itself to all the addresses it finds in the following file formats: TXT, EML, HTML, HTM, DBX, and WAB files. The sender address used for the email is spoofed. The infected emails will have the following characteristics: Sender: "admin@support.com" Subject: (one of the following) Application Ref: 456003 Re: Accepted Re: App. 00347545-002 Re: Documents Re: Movies Re: Screensaver Re: Your Application (Ref: 003844) Your Application Body: "See the attached file for details" Attachment: (one of the following) accepted.pif app003475.pif application.pif application844.pif applications.pif document.pif movies.pif ref_456.pif screensaver.scr screensaver.pif Note: The file extension may arrive truncated by one character (e.g. ".PI" instead of ".PIF"). Payload Upon execution, the worm drops the following files into the WINDOWS directory: CFRTB32.EXE (approx. 59kB) RSSP32.DAT DFTRN32.DAT The following Registry keys are added to launch a copy of the virus during a Windows startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SFtrb Service" = "C:\Windows\CFRTB32.EXE" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "SFtrb Service" = "C:\Windows\CFRTB32.EXE" The worm will attempt to copy itself into the following folders by accessing unprotected C$ shares: \Documents and Settings\All Users\Start Menu\Programs\Startup\ \Windows\All Users\Start Menu\Programs\Startup\ The worm will attempt to send NTP packets to port 123 of predefined IP addresses for remote NTP servers. The worm verifies the system date and time. The worm will no longer propagate if the system date is past midnight on July 1, 2003. The worm opens connections on ports 995, 996, 997, 998, and 999. This communication results in the system downloading files from specified URLs and executing them. Preventative Measures Block the following extension at the message gateway where possible: .PI .PIF .SC .SCR Block communication on the following ports: 123 995 996 997 998 999 Ensure that administrative shares require appropriate authentication. Fixes Available Network Associates: Minimum DAT: 4272, Detected as W32/SoBig.dam since 4266 DATs Release Date: 05/21/2003 Minimum Engine: 4.1.60 Symantec: Virus Definitions (Intelligent Updater): June 18, 2003 Virus Definitions (LiveUpdate): June 18, 2003 < - Virus Information Index - >
| | |||||||||||||||||||||||||
