My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Sobig.F@mm

HIGH
LOW
~70 KB
(W32/Sobig.F@mm)

Symptoms

  • Registry key

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX]

    with value

    %WINDIR%\winppr32.exe /sinc


  • Registry key

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX]

    with value

    %WINDIR%\winppr32.exe /sinc


  • Following files in the %WINDIR% folder

    Winstt32.dat
    Winppr32.exe
    Winstf32.dll
  • Removal instructions:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender Antisobig-en.exe tool does the following:
  • it detects all the known Sobig versions;

  • it deletes the files infected with Sobig;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability.

    Analyzed By

    Sorin Dudea BitDefender Virus Researcher

    Technical Description:

    It arrives in e-mail in the following format:

    Subject: Randomly chosen from the following list:

    Re: That movie
    Re: Wicked screensaver
    Re: Your application
    Re: Approved
    Re: Re: My details
    Re: Details
    Your details
    Thank you!
    Re: Thank you!

    Body:

    Please see the attached file for details.

    or

    See the attached file for details

    Attachment: Randomly chosen from the following list:

    movie0045.pif
    wicked_scr.scr
    application.pif
    document_9446.pif
    details.pif
    your_details.pif
    thank_you.pif
    document_all.pif
    your_document.pif

    After the user opens the attachment the worm copies in the following location:

    %WINDIR%\winppr32.exe

    and adds the following registry keys:
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX]

    with value

    %WINDIR%\winppr32.exe /sinc


  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX]

    with value

    %WINDIR%\winppr32.exe /sinc

  • It searches for e-mails in the following file types:

    html
    wab
    mht
    hlp
    txt
    eml
    htm
    dbx

    The worm includes a thread that every one hour reads the time by connecting three times to public NTP (Network Time Protocol) servers from a hardcoded list; if the day of the week is Friday or Sunday and the hour is between 19:00 and 22:59, the worm tries to connect to several hardcoded hosts on UDP port 8998 in order to receive the location of a file to download and execute. The IP's of these hosts are:
    68.50.208.96, 12.232.104.221, 218.147.164.29, 24.33.66.38, 12.158.102.205, 24.197.143.132, 24.206.75.137, 24.202.91.43, 24.210.182.156, 61.38.187.59, 65.92.80.218, 63.250.82.87, 65.92.186.145, 65.95.193.138, 65.93.81.59, 65.177.240.194, 66.131.207.81, 67.9.241.67, 68.38.159.161, 67.73.21.6 .

    Then it waits for the answer, it connects to the decoded answer and downloads a file – using the instruction UrlDownloadToCacheFileA. The virus executes the downloaded file directly using a CreateProcess instruction.

    The worm also spreads trough network shares.

    It stops spreading after 10.09.2003.