My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Sobig.C@mm

HIGH
LOW
59211 bytes
(W32/Sobig.C@mm, Win32/Sobig.C@mm)

Symptoms

  • Presence of the files mscvb32.exe and msddr.dat in the %WINDIR% folder

  • The value "System MScvb" = "C:\WinNT\mcvb32.exe" in the registry key:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
  • Removal instructions:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender Antisobig-en.exe tool does the following:
  • it detects all the known Sobig versions;

  • it deletes the files infected with Sobig;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability.

    Analyzed By

    Sorin Victor Dudea BitDefender Virus Researcher

    Technical Description:

    Win32.Sobig.C@mm is an Internet worm that spreads trough e-mail and local shares.

    It arrives in the following format:
    From: bill@microsoft.com

    Subject: randomly chosen from the following strings.

    Re: Movie
    Re: Submited (004756-3463)
    Re: 45443-343556
    Re: Approved
    Approved
    Re: Your application
    Re: Application

    Body:
    Please see the attached file

    Attachment: randomly chosen from the following strings

    screensaver.scr
    movie.pif
    submited.pif
    45443.pif
    documents.pif
    approved.pif
    application.pif
    document.pif

    When the user open the attachment of an infected e-mail the worm copies itself in the %WIDOWS% directory under the following name: %WINDIR %\mscvb32.exe
    It creates the file %WINDIR%\msddr.dat

    In the registry key:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

    it adds the value: "System MScvb" = "C:\WinNT\mcvb32.exe".

    It scans the hard drive for the following file types:

    .wab
    .dbx
    .htm
    .html
    .eml
    .txt

    and it searches for the e-mail addresses inside those files. After this it sends itself to every e-mail found in the same format it arrives.

    The worm searches trough network shares and it copies itself under the following folders:

    Windows\All Users\Start Menu\Programs\StartUp
    Documents and Settings\All Users\Start Menu\Programs\Startup

    More information will be posted after further analysis.