Win32.Sobig.B@mm (Palyh)( Win32.Sobig.(A,B)@mm, Win32/Palyh.A@mm, Win32.HLLM.Ccn, W32.HLLW.Mankx@mm )
SYMPTOMS: msccn32.exe hnks.ini HKEY\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\System Tray = \"msccn32.exe\" Windows\\All Users\\Start Menu\\Programs\\StartUp for Windows 9x Documents and Settings\\All Users\\Start Menu\\Programs\\Startup for Windows 2000, XP TECHNICAL DESCRIPTION: This mass mailer spreads itself via email, as an attatched file with one of the following names:your_details.pif ref-394755.pif approved.pif password.pif doc_details.pif screen_temp.pif screen_doc.pif movie28.pif application.pif The email is fakely sent from support@microsoft.com, has \"All information is in the attached file.\" in body, and the subject is one of the following: Your details Approved (Ref: 38446-263) Re: Approved (Ref: 3394-65467) Your password Re: My details Screensaver Cool screensaver Re: Movie Re: My application Once executed the malware copyes itself in %windows% (i.e. C:\\WINNT) and gives control to that copy. It searches the whole hard disk for email addresses contained in files with the following extensions: wab, dbx, htm, html, eml, txt. Starting with 31st of May 2003 the worm stops spreading but it still infects the machine where it is executed. The virus has been renamed from Win32.Palyh.A@mm into Win32.SoBig.B@mm, as it belongs to the SoBig family. Removal instructions: manual removal: kill the process msccn32, delete msccn32.exe and hnks.ini from windows directory and from StartUp; after that remove thiskey: \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\System Tray\" automatic removal: let BitDefender disinfect or use the free removal tool provided by BitDefender! ANALYZED BY: Ciubotariu MirceaBitDefender Virus Researcher |