McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Sobig.C@mm (Symantec)

• W32/Sobig.C@mm (F-Secure)

• W32/Sobig.dam

• WORM_SOBIG.C (Trend)

Characteristics

-- Update June 01, 2003 --
Due to an increase in prevalence over the past 24 hours, the risk assessment of this threat has been upgraded to Medium.

A new variant of the W32/Sobig virus has been discovered on 31st May 2003.

This variant is detected as W32/Sobig.dam in the 4267 DATs (released 28th May 2003). McAfee customers who updated to this version of DATs, or above, are therefore protected from this new variant.

This worm in similar to W32/Sobig.b@MM.The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.

Mail Propagation

The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. With certain mail server products, this may result in the loss of a character from the remaining filename, thus attachments may have a ".PI" extension (as opposed to ".PIF").

Target email addresses are extracted from files on the victim machine with the following extensions:

• WAB
• DBX
• HTM
• HTML
• EML
• TXT

The worm may arrive in an email with the following characteristics:

From: bill@microsoft.com * (could be any address, see note below)
Subject: (one of the following)

• Approved
• Re: 45443-343556
• Re: Application
• Re: Approved
• Re: Movie
• Re: Screensaver
• Re: Submited (004756-3463)
• Re: Your application

Attachment: (one of the following)

Note: As mentioned above, the file extension may be truncated to .PI instead of the intended .PIF.

• 45443.pif
• application.pif
• approved.pif
• document.pif
• documents.pif
• movie.pif
• screensaver.scr
• submited.pif

Message Body: Please see the attached file.

* Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is likely not a pointer to the infected user.

Share Propagation

The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible:

• \Documents and Settings\All Users\Start Menu\Programs\Startup\
• \Windows\All Users\Start Menu\Programs\Startup\

Installation

Upon execution, the worm drops the following files into the %windir% directory:

• "mscvb32.exe" (approx 50kB) (a copy of itself)
• "msddr.dat" (configuration file)

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"System MScvb" = %WinDir%\mscvb32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System MScvb" = %WinDir%\mscvb32.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Symptoms

Presence of the file mscvb32.exe in the WINDOWS (%WinDir%) directory

Method of Infection

This worm propagates via email and network shares.

The worm contains a routine which retrieves and checks the system date/time. If the date matches 8th June 2003 (or later), the worm no longer propagates (it will successfully install itself on target machines however).

Removal

Detection is included in the released 4267 DAT files as W32/Sobig.dam. The 4268 DAT files contain detection and removal as W32/Sobig.c@MM.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the 4.1.60+ engine and 4268 DATs+.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode)
2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
   • mscvb32.exe
   • msddr.dat
3. Delete unusual executables from the following folders:
   • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
   • C:\Windows\All Users\Start Menu\Programs\Startup\
4. Edit the registry
   • Delete the "System MScvb" value from
     1. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
     2. "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
5. Reboot the system

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Sobig.C@mm (Symantec)

• W32/Sobig.C@mm (F-Secure)

• W32/Sobig.dam

• WORM_SOBIG.C (Trend)

Characteristics

Characteristics -

-- Update June 01, 2003 --
Due to an increase in prevalence over the past 24 hours, the risk assessment of this threat has been upgraded to Medium.

A new variant of the W32/Sobig virus has been discovered on 31st May 2003.

This variant is detected as W32/Sobig.dam in the 4267 DATs (released 28th May 2003). McAfee customers who updated to this version of DATs, or above, are therefore protected from this new variant.

This worm in similar to W32/Sobig.b@MM.The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.

Mail Propagation

The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. With certain mail server products, this may result in the loss of a character from the remaining filename, thus attachments may have a ".PI" extension (as opposed to ".PIF").

Target email addresses are extracted from files on the victim machine with the following extensions:

• WAB
• DBX
• HTM
• HTML
• EML
• TXT

The worm may arrive in an email with the following characteristics:

From: bill@microsoft.com * (could be any address, see note below)
Subject: (one of the following)

• Approved
• Re: 45443-343556
• Re: Application
• Re: Approved
• Re: Movie
• Re: Screensaver
• Re: Submited (004756-3463)
• Re: Your application

Attachment: (one of the following)

Note: As mentioned above, the file extension may be truncated to .PI instead of the intended .PIF.

• 45443.pif
• application.pif
• approved.pif
• document.pif
• documents.pif
• movie.pif
• screensaver.scr
• submited.pif

Message Body: Please see the attached file.

* Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is likely not a pointer to the infected user.

Share Propagation

The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible:

• \Documents and Settings\All Users\Start Menu\Programs\Startup\
• \Windows\All Users\Start Menu\Programs\Startup\

Installation

Upon execution, the worm drops the following files into the %windir% directory:

• "mscvb32.exe" (approx 50kB) (a copy of itself)
• "msddr.dat" (configuration file)

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"System MScvb" = %WinDir%\mscvb32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System MScvb" = %WinDir%\mscvb32.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Symptoms

Symptoms -

Presence of the file mscvb32.exe in the WINDOWS (%WinDir%) directory

Method of Infection

Method of Infection -

This worm propagates via email and network shares.

The worm contains a routine which retrieves and checks the system date/time. If the date matches 8th June 2003 (or later), the worm no longer propagates (it will successfully install itself on target machines however).

Removal -

Removal -

Detection is included in the released 4267 DAT files as W32/Sobig.dam. The 4268 DAT files contain detection and removal as W32/Sobig.c@MM.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the 4.1.60+ engine and 4268 DATs+.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode)
2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
   • mscvb32.exe
   • msddr.dat
3. Delete unusual executables from the following folders:
   • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
   • C:\Windows\All Users\Start Menu\Programs\Startup\
4. Edit the registry
   • Delete the "System MScvb" value from
     1. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
     2. "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
5. Reboot the system

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A