My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Sobig.B@mm (Palyh)

HIGH
LOW
52706 (packed)
(Win32.Sobig.(A,B)@mm, Win32/Palyh.A@mm, Win32.HLLM.Ccn, W32.HLLW.Mankx@mm)

Symptoms

  • Presence of following files in Windows folder:
    msccn32.exe
    hnks.ini

  • Presence of the process: msccn32.exe

  • Presence of registry key:
    HKEY\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemTray="msccn32.exe"

  • Presence of msccn32.exe in:
    Windows\All Users\Start Menu\Programs\StartUp for Windows 9x

  • Documents and Settings\All Users\Start Menu\Programs\Startup for Windows 2000, XP

    Removal instructions:

    manual removal: kill the process msccn32, delete msccn32.exe and hnks.ini from windows directory and from StartUp; after that remove this
    key:  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tray"
    automatic removal: let BitDefender disinfect or use the free removal tool provided by BitDefender!

    Analyzed By

    Ciubotariu Mircea BitDefender Virus Researcher

    Technical Description:

    This mass mailer spreads itself via email, as an attatched file with one of the following names:
    your_details.pif
    ref-394755.pif
    approved.pif
    password.pif
    doc_details.pif
    screen_temp.pif
    screen_doc.pif
    movie28.pif
    application.pif

    The email is fakely sent from support@microsoft.com, has "All information is in the attached file." in body, and the subject is one of the following:
    Your details
    Approved (Ref: 38446-263)
    Re: Approved (Ref: 3394-65467)
    Your password
    Re: My details
    Screensaver
    Cool screensaver
    Re: Movie
    Re: My application

    Once executed the malware copyes itself in %windows% (i.e. C:\WINNT) and gives control to that copy. It searches the whole hard disk for email addresses contained in files with the following extensions: wab, dbx, htm, html, eml, txt.

    Starting with 31st of May 2003 the worm stops spreading but it still infects the machine where it is executed.
    The virus has been renamed from Win32.Palyh.A@mm into Win32.SoBig.B@mm, as it belongs to the SoBig family.