Content

W32/Sobig.b@MM

Type
Virus
SubType
Internet Worm
Discovery Date
05/18/2003
Length
approx. 58 KBytes
Minimum DAT
4265 (05/18/2003)
Updated DAT
4296 (10/01/2003)
Minimum Engine
5.1.00
Description Added
05/18/2003
Description Modified
05/31/2003 8:04 PM (PT)
Risk Assessment
Corporate User
Medium
Home User
Medium

Tab Navigation

Characteristics

-- Update 05/21/03 --

Starting from the 4266 DATs (released 05/21/03), this virus has been renamed from W32/Palyh@MM to W32/Sobig.b@MM in order to correctly identify it as a new variant of W32/Sobig@MM.

-- Update 05/18/03 --

Detection and cleaning for this worm is included in the 4265 DATs, which have been released today.

This worm bears strong similarities to W32/Sobig@MM. It is written in MSVC and is packed with UPX. The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.

Mail Propagation

The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. This may cause certain mail clients to remove a character from the remaining filename, thus attachments may have a ".PI" extension (as opposed to ".PIF").

Target email addresses are extracted from files on the victim machine with the following extensions:

  • WAB
  • DBX
  • HTM
  • HTML
  • EML
  • TXT

The worm may arrive in an email with the following characteristics:

From: support@microsoft.com

Subject:

  • Re: My application
  • Re: Movie
  • Cool screensaver
  • Screensavers
  • Re: My details
  • Your password
  • Re: Approved (Ref: 3394-65467)
  • Approved (Ref: 38446-263)
  • Your details

Attachment:

Note: As mentioned above, the file extension may be truncated to .PI instead of the intended .PIF.

  • approved.pif
  • ref-394755.pif
  • password.pif
  • ref-394755.pif
  • application.pif
  • screen_doc.pif
  • screen_temp.pif
  • movie28.pif
  • download1053122425102485703.uue
  • doc_details.pif
  • _approved.pif

Message Body:

All information is in the attached file.

Share Propagation

The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible:

  • \Documents and Settings\All Users\Start Menu\Programs\Startup\
  • \Windows\All Users\Start Menu\Programs\Startup\

Installation

Upon execution, the worm drops the following files into the %windir% directory:

  • "msccn32.exe" (approx 50kB) (a copy of itself)
  • "hnks.ini" (configuration file)
  • "mdbrr.ini" (configuration file)

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"System Tray" = %WinDir%\msccn32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System Tray" = %WinDir%\msccn32.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Symptoms

Existence of the files and Registry keys detailed above.

Method of Infection

This worm propagates via email and network shares.

The worm contains a routine which retrieves and checks the system date/time. If the date matches 31st May 2003 (or later), the worm no longer propagates (it will successfully install itself on target machines however).

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.Sobig.b (AVP)
  • W32.HLLW.Mankx@mm (NAV)
  • W32.Sobig.B@mm (NAV)
  • W32/Palyh (Panda)
  • W32/Palyh-A (Sophos)
  • W32/Palyh@MM
  • W32/Sobig.b@MM
  • W32/Sobig.B@mm (F-Prot)
  • Win32.HLLM.Reteras.2 (Dialogue Sci)
  • Win32.Palyh.A (CA)
  • WORM_PALYH.A (Trend)

Characteristics

Characteristics -

-- Update 05/21/03 --

Starting from the 4266 DATs (released 05/21/03), this virus has been renamed from W32/Palyh@MM to W32/Sobig.b@MM in order to correctly identify it as a new variant of W32/Sobig@MM.

-- Update 05/18/03 --

Detection and cleaning for this worm is included in the 4265 DATs, which have been released today.

This worm bears strong similarities to W32/Sobig@MM. It is written in MSVC and is packed with UPX. The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.

Mail Propagation

The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. This may cause certain mail clients to remove a character from the remaining filename, thus attachments may have a ".PI" extension (as opposed to ".PIF").

Target email addresses are extracted from files on the victim machine with the following extensions:

  • WAB
  • DBX
  • HTM
  • HTML
  • EML
  • TXT

The worm may arrive in an email with the following characteristics:

From: support@microsoft.com

Subject:

  • Re: My application
  • Re: Movie
  • Cool screensaver
  • Screensavers
  • Re: My details
  • Your password
  • Re: Approved (Ref: 3394-65467)
  • Approved (Ref: 38446-263)
  • Your details

Attachment:

Note: As mentioned above, the file extension may be truncated to .PI instead of the intended .PIF.

  • approved.pif
  • ref-394755.pif
  • password.pif
  • ref-394755.pif
  • application.pif
  • screen_doc.pif
  • screen_temp.pif
  • movie28.pif
  • download1053122425102485703.uue
  • doc_details.pif
  • _approved.pif

Message Body:

All information is in the attached file.

Share Propagation

The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible:

  • \Documents and Settings\All Users\Start Menu\Programs\Startup\
  • \Windows\All Users\Start Menu\Programs\Startup\

Installation

Upon execution, the worm drops the following files into the %windir% directory:

  • "msccn32.exe" (approx 50kB) (a copy of itself)
  • "hnks.ini" (configuration file)
  • "mdbrr.ini" (configuration file)

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"System Tray" = %WinDir%\msccn32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System Tray" = %WinDir%\msccn32.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Symptoms

Symptoms -

Existence of the files and Registry keys detailed above.

Method of Infection

Method of Infection -

This worm propagates via email and network shares.

The worm contains a routine which retrieves and checks the system date/time. If the date matches 31st May 2003 (or later), the worm no longer propagates (it will successfully install itself on target machines however).

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A