My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.SoBig.E@mm

MEDIUM
MEDIUM
86,528 bytes, approx 82 kb zipped
(W32/Sobig.e@MM (McAfee), WORM_SOBIG.E (Trend), W32/Sobig-E (Sophos))

Symptoms

  • Presence of the next files in Windows folder:

    winssk32.exe
    msrrf.dat

  • Presence of one or more of the next registry key:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"SSKService"= "%WINDOWS%\winssk32.exe"]
    [KKCU\Software\Microsoft\Windows\CurrentVersion\Run\"SSKService"= "%WINDOWS%\winssk32.exe"]

    where %WINDOWS% points to windows folder.
  • Removal instructions:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender Antisobig-en.exe tool does the following:
  • it detects all the known Sobig versions;

  • it deletes the files infected with Sobig;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability.

    Analyzed By

    Patrick Vicol BitDefender Virus Researcher

    Technical Description:

    Similar to Win32.Sobig.D@mm, this mass mailer spreads through e-mail and network shares. It will de-activate itself on July 14 2003.

    The infected e-mails look like this:

    From: support@yahoo.com (usually, but it can be any e-mail address)

    Subject is chosen from the following:

    004448554.pif
    Application.pif
    Applications.pif
    movie.pif
    new document.pif
    Referer.pif
    Screensaver.scr
    submited.pif
    Your application
    Re: Application
    Re: document.pif
    Re: Documents
    Re: Movie
    Re: Movies
    Re: ScRe:ensaver
    Re: Submitted
    Re: Re: Application ref 003644
    Re: Re: Document

    Body: Please see the attached zip file for details.

    Attachment can be:

    application.zip (containingapplication.pif)
    document.zip(containingdocument.pif)
    Movie.zip (containingMovie.pif)
    screensaver.zip (containingsky_world.scr)
    Your_details.zip(containingdetails.pif)

    Once executed, the virus will create a copy of itself as winssk32.exe and also a configuration file, msrrf.dat both in Windows folder. Then it creates the aforementioned registry keys in order to run every time at Windows startup.

    Then, it searches for files matching .wab, .dbx, .htm, .html, .eml, .txt and harvests e-mail addresses. It features it's own SMTP engine thus it sends zipped copies of itself to the harvested e-mail addresses.

    It also spreads through network shares and attempts to place copies of itself in:

    C:\Windows\All Users\Start Menu\Programs\Startup\
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

    Due to a bug in the virus, the last letter in the attachment's name may be missing (example: Your_details.zi)