86,528 bytes, approx 82 kb zipped
(W32/Sobig.e@MM (McAfee), WORM_SOBIG.E (Trend), W32/Sobig-E (Sophos))
Presence of the next files in Windows folder:
Presence of one or more of the next registry key:
where %WINDOWS% points to windows folder.
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus. Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender Antisobig-en.exe
tool does the following:
it detects all the known Sobig versions;
it deletes the files infected with Sobig;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.
If you are running Windows 95/98/Me you will have to apply the following patch
provided by Microsoft to stop the virus from using the Share Level Password
Patrick Vicol BitDefender Virus Researcher
Similar to Win32.Sobig.D@mm, this mass mailer spreads through e-mail and network shares. It will de-activate itself on July 14 2003.
The infected e-mails look like this:
From: firstname.lastname@example.org (usually, but it can be any e-mail address)
Subject is chosen from the following:
Re: Re: Application ref 003644
Re: Re: Document
Body: Please see the attached zip file for details.
Attachment can be:
Once executed, the virus will create a copy of itself as winssk32.exe and also a configuration file, msrrf.dat both in Windows folder. Then it creates the aforementioned registry keys in order to run every time at Windows startup.
Then, it searches for files matching .wab, .dbx, .htm, .html, .eml, .txt and harvests e-mail addresses. It features it's own SMTP engine thus it sends zipped copies of itself to the harvested e-mail addresses.
It also spreads through network shares and attempts to place copies of itself in:
C:\Windows\All Users\Start Menu\Programs\Startup\
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Due to a bug in the virus, the last letter in the attachment's name may be missing (example: Your_details.zi)