Content

W32/Sobig.d@MM

Type
Virus
SubType
Internet Worm
Discovery Date
06/18/2003
Length
59,378 bytes
Minimum DAT
4266 (05/21/2003)
Updated DAT
4296 (10/01/2003)
Minimum Engine
5.1.00
Description Added
06/18/2003
Description Modified
06/18/2003 2:53 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update June 18, 2003 --
This threat was updated to a Low-Profiled risk due to media attention at: http://www.theregister.co.uk/content/56/31292.html

The variant is detected as W32/Sobig.dam with the 4266 DATs (released 21st May 2003) or greater. McAfee customers who have updated to this version of DATs, or above, are therefore protected from this new variant. Precise identification as W32/Sobig.d@MM is provided in the 4272 DATs.

This worm bears strong similarities to W32/Sobig.c@MM. It propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.

Mail Propagation

The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename, which may result in file attachments with a ".PI" extension (as opposed to ".PIF").

The worm may arrive in an email bearing the following characteristics:

From: admin@support.com * (could be any address, see note below)
Subject: (one of the following)

  • Application Ref: 456003
  • Re: Accepted
  • Re: App. 00347545-002
  • Re: Documents
  • Re: Movies
  • Re: Screensaver
  • Re: Your Application (Ref: 003844)
  • Your Application

Body: See the attached file for details

Attachment:

Note: As mentioned above, the file extension may be truncated by a character (eg. ".PI" instead of the intended .PIF).

  • accepted.pif
  • app003475.pif
  • application.pif
  • application844.pif
  • applications.pif
  • document.pif
  • movies.pif
  • ref_456.pif
  • screensaver.scr

* Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is most likely not a pointer to the infected user.

Share Propagation

The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible (and write access is satisfied):

  • \Documents and Settings\All Users\Start Menu\Programs\Startup\
  • \Windows\All Users\Start Menu\Programs\Startup\

Installation

Upon execution, the worm drops the following files into the %WinDir% directory:

  • CFRTB32.EXE (approx 59kB) (a copy of itself)
  • RSSP32.DAT (configuration file)

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"SFtrb Service" = %WinDir%\CFRTB32.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"SFtrb Service" = %WinDir%\CFRTB32.EXE

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Contacting Remote NTP Servers

The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination port 123).

Symptoms

  • Presence of the file CFTRB32.EXE in the %Windows% directory (59,378 bytes).
  • Presence of the Registry hooks detailed above.
  • Unexpected NTP traffic to remote servers (destination port 123)

Method of Infection

This worm propagates via email and network shares.

The worm contains a routine which retrieves and checks the system date/time. On the 2nd July 2003 (or later), the worm will no longer propagate (it will successfully install itself on target machines however).

Removal

Detection is included in the released 4266 DAT files as W32/Sobig.dam. The 4272 DAT files contain precise detection and removal as W32/Sobig.d@MM.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the 4.1.60+ engine and 4272 DATs+.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the process cfrb32.exe
  2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
    • cftrb32.exe
    • rssp32.dat
  3. Delete unusual executables from the following folders:
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    • C:\Windows\All Users\Start Menu\Programs\Startup\
  4. Edit the registry
    • Delete the "SFtrb Service" value from
      1. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
      2. "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
  5. Reboot the system

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32.Sobig.D@mm (NAV)
  • Win32.HLLM.Reteras (Dialogue Science)

Characteristics

Characteristics -

-- Update June 18, 2003 --
This threat was updated to a Low-Profiled risk due to media attention at: http://www.theregister.co.uk/content/56/31292.html

The variant is detected as W32/Sobig.dam with the 4266 DATs (released 21st May 2003) or greater. McAfee customers who have updated to this version of DATs, or above, are therefore protected from this new variant. Precise identification as W32/Sobig.d@MM is provided in the 4272 DATs.

This worm bears strong similarities to W32/Sobig.c@MM. It propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.

Mail Propagation

The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename, which may result in file attachments with a ".PI" extension (as opposed to ".PIF").

The worm may arrive in an email bearing the following characteristics:

From: admin@support.com * (could be any address, see note below)
Subject: (one of the following)

  • Application Ref: 456003
  • Re: Accepted
  • Re: App. 00347545-002
  • Re: Documents
  • Re: Movies
  • Re: Screensaver
  • Re: Your Application (Ref: 003844)
  • Your Application

Body: See the attached file for details

Attachment:

Note: As mentioned above, the file extension may be truncated by a character (eg. ".PI" instead of the intended .PIF).

  • accepted.pif
  • app003475.pif
  • application.pif
  • application844.pif
  • applications.pif
  • document.pif
  • movies.pif
  • ref_456.pif
  • screensaver.scr

* Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is most likely not a pointer to the infected user.

Share Propagation

The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible (and write access is satisfied):

  • \Documents and Settings\All Users\Start Menu\Programs\Startup\
  • \Windows\All Users\Start Menu\Programs\Startup\

Installation

Upon execution, the worm drops the following files into the %WinDir% directory:

  • CFRTB32.EXE (approx 59kB) (a copy of itself)
  • RSSP32.DAT (configuration file)

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"SFtrb Service" = %WinDir%\CFRTB32.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"SFtrb Service" = %WinDir%\CFRTB32.EXE

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Contacting Remote NTP Servers

The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination port 123).

Symptoms

Symptoms -

  • Presence of the file CFTRB32.EXE in the %Windows% directory (59,378 bytes).
  • Presence of the Registry hooks detailed above.
  • Unexpected NTP traffic to remote servers (destination port 123)

Method of Infection

Method of Infection -

This worm propagates via email and network shares.

The worm contains a routine which retrieves and checks the system date/time. On the 2nd July 2003 (or later), the worm will no longer propagate (it will successfully install itself on target machines however).

Removal -

Removal -

Detection is included in the released 4266 DAT files as W32/Sobig.dam. The 4272 DAT files contain precise detection and removal as W32/Sobig.d@MM.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the 4.1.60+ engine and 4272 DATs+.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the process cfrb32.exe
  2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
    • cftrb32.exe
    • rssp32.dat
  3. Delete unusual executables from the following folders:
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    • C:\Windows\All Users\Start Menu\Programs\Startup\
  4. Edit the registry
    • Delete the "SFtrb Service" value from
      1. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
      2. "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
  5. Reboot the system

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A