Win32.Sobig.A@mm

( N/A )

SYMPTOMS:

Mail from big@boss.com

File WINMGM32.EXE in %WINDIR% (Where %WINDIR% is your Windows directory)

Registry key WindowsMGM in:

[HKLM\\Microsoft\\Windows\\CurrentVersion\\Run]

containing the path to the worm executable.

TECHNICAL DESCRIPTION:

The worm searches on all the fixed drives for files with extensions: .TXT, .EML, .HTM, .HTML, .DBX, and .WAB, collect from there e-mail addresses, and sends itself in messages with one of the subjects:

Re: Document
Re: Here is that sample
Re: Movies
Re: Sample

The body of the mail can be empty, or contain a single line:

Attached file:

The name of the attachment (worm executable) is one of:

Document003.pif
Movie_0074.mpeg.pif
Sample.pif
Untitled1.pif

The worm also tries to connect to network shares, and copy itself to remote computer in the following directories:

Documents and Settings\\All Users\\Start Menu\\Programs\\Startup
Windows\\All Users\\Start Menu\\Programs\\StartUp

Removal instructions:

BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

1. If you don\'t have BitDefender installed click here to download an evaluation version;


2. Make sure that you have the latest updates using BitDefender Live!;


3. Make the following changes in the windows registry:
   
   Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
   
   
   1. Select Run... from Start, then type regedit and press Enter;
   
   
   2. Delete the following key:
      [HKLM\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsMGM]


4. Reboot the computer


5. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Sobig.A@mm.

ANALYZED BY:

Mihai Neagu
BitDefender Virus Researcher