W32.Sobig.D@mm

Discussion in 'malware problems & news' started by Bowserman, Jun 18, 2003.

Thread Status:
Not open for further replies.
  1. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    From Symantec:

    "W32.Sobig.D@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in files with the following extensions:

    .wab
    .dbx
    .htm
    .html
    .eml
    .txt

    The email falsely purports that it is sent by admin@support.com

    Email Routine Details
    The email message has the following characteristics:

    From: admin@support.com (NOTE: W32.Sobig.D@mm spoofs this field. It could be any address.)

    Subject: The subject line will be one of the following:
    Re: Documents
    Re: App. 00347545-002
    Re: Movies
    Application Ref: 456003
    Re: Your Application (Ref: 003844)
    Re: Screensaver
    Re: Accepted
    Your Application

    Message Body: See the attached file for details

    Attachment: The attachment name will be one of the following:
    Document.pif
    app003475.pif
    movies.pif
    ref_456.pif
    Application844.pif
    Screensaver.scr
    Accepted.pif
    Applications.pif
    Application.pif

    NOTE: The worm de-activates on July 2, 2003, and therefore, the last day on which the worm will spread is July 1, 2003.


    Also Known As: I-Worm.Sobig.gen [KAV], W32/Sobig [McAfee]
    Type: Worm
    Infection Length: 57,856 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me


    When W32.Sobig.D@mm is executed, it performs the following actions:
    1. Copies itself as %Windir%cftrb32.exe.

    NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and copies itself to that location.

    2. Creates the following files to store an internal configuration data:

    %Windir%dftrn32.dat
    %Windir%rssp32.dat

    3. Adds the value:

    "SFtrb Service"="%Windir%cftrb32.exe"

    to the registry key:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

    so that W32.Sobig.D@mm runs when you start Windows.

    4. If the operating system is Windows NT/2000/XP, then the worm will also add the value:

    "SFtrb Service"="%Windir%cftrb32.exe"

    to the registry key:

    HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

    5. Counts the Network Resources and copies itself to the following folders:
    WindowsAll UsersStart MenuProgramsStartUp
    Documents and SettingsAll UsersStart MenuProgramsStartup

    6. Attempts to download data from particular Web pages.

    W32.Sobig.D@mm is also network-aware. It counts the network resources and copies itself to the following folders on other computers to which it has access:
    WindowsAll UsersStart MenuProgramsStartUp
    Documents and SettingsAll UsersStart MenuProgramsStartup"

    For more information go here: http://www.symantec.com/avcenter/

    Regards, Jade.
     
  2. ladyjeweler

    ladyjeweler Registered Member

    Joined:
    Feb 22, 2003
    Posts:
    23
    Location:
    North Carolina
    Thanks! I'm a Virus Mod at three boards and I didn't see that one this morning! Thanks again. :)

    Jeannie
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.