(Win32.Sobig.(A,B)@mm, Win32/Palyh.A@mm, Win32.HLLM.Ccn, W32.HLLW.Mankx@mm)
Presence of following files in Windows folder:
Presence of the process: msccn32.exe
Presence of registry key:
Presence of msccn32.exe in:
Windows\All Users\Start Menu\Programs\StartUp for Windows 9x
Documents and Settings\All Users\Start Menu\Programs\Startup for Windows 2000, XP
manual removal: kill the process msccn32, delete msccn32.exe and hnks.ini from windows directory and from StartUp; after that remove this
key: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tray"
automatic removal: let BitDefender disinfect or use the free removal tool provided by BitDefender!
Ciubotariu Mircea BitDefender Virus Researcher
This mass mailer spreads itself via email, as an attatched file with one of the following names:
The email is fakely sent from firstname.lastname@example.org, has "All information is in the attached file." in body, and the subject is one of the following:
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Re: My details
Re: My application
Once executed the malware copyes itself in %windows% (i.e. C:\WINNT) and gives control to that copy. It searches the whole hard disk for email addresses contained in files with the following extensions: wab, dbx, htm, html, eml, txt.
Starting with 31st of May 2003 the worm stops spreading but it still infects the machine where it is executed.
The virus has been renamed from Win32.Palyh.A@mm into Win32.SoBig.B@mm, as it belongs to the SoBig family.