Content

W32/Sobig.e@MM

Type
Virus
SubType
Internet Worm
Discovery Date
06/25/2003
Length
86,528 (.pif) bytes
82,340 (.zip) bytes
Minimum DAT
4273 (06/25/2003)
Updated DAT
4287 (08/19/2003)
Minimum Engine
5.1.00
Description Added
06/25/2003
Description Modified
06/27/2003 1:52 PM (PT)
Risk Assessment
Corporate User
Medium
Home User
Medium

Tab Navigation

Characteristics

-- Update June 25, 2003 --
This threat was upgraded to a Medium risk due to an increase in prevalence over the past few hours.

Stinger has been updated to detect and remove W32/Sobig.e@MM.

McAfee users are proactively protected from this new variant when using the 4266 DAT files, 4.2.40+ scan engine, and scanning compressed executables. The detection name is W32/Sobig. The 4273 DAT files will support 4.1.60 engine users and detected this variant as W32/Sobig.e@MM.

This variant is similar to W32/Sobig.d@MM. The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages. The virus is sent in a ZIP archive, allowing it to bypass extension blocking rules. However, this requires the end user to perform extra steps in order to actually execute the virus.

Mail Propagation

The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. With certain mail servers, this may result in the loss of a character from the remaining filename, thus attachments may have a ".ZI" extension (as opposed to ".ZIP").

Target email addresses are extracted from files on the victim machine with the following extensions:

  • WAB
  • DBX
  • HTM
  • HTML
  • EML
  • TXT

The worm may arrive in an email with the following characteristics:

Body: Please see the attached zip file for details.
Attachment: your_details.zip (which contains details.pif)

* Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is likely not a pointer to the infected user.

Share Propagation

The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible:

  • \Documents and Settings\All Users\Start Menu\Programs\Startup\
  • \Windows\All Users\Start Menu\Programs\Startup\

Installation

Upon execution, the worm drops the following files into the %windir% directory:

  • "winssk32.exe" (approx 85kB) (a copy of itself)
  • "msrrf.dat" (configuration file)

The following Registry keys are added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "SSK Service" = %WinDir%\winssk32.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "SSK Service" = %WinDir%\winssk32.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Self Updating

The worm listens on UDP ports 995-999 for updating instructions; remote site(s) to download updates from.

Symptoms

- Presence of the file winssk32.exe in the WINDOWS (%WinDir%) directory
- System listening on UDP Ports 995 - 999

Method of Infection

This worm propagates via email and network shares.

Removal

Proactive protection is included in the released 4266 DAT files as W32/Sobig, but requires the 4.2.40+ scan engine and scanning of compressed executables. The 4273 DAT files detect this as W32/Sobig.e@MM with all supported scan engines.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the 4.1.60+ engine and 4273 DATs+.

Stinger has been updated to detect and remove W32/Sobig.e@MM.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:
  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the process winssk32.exe
  2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
    • winssk32.exe
    • msrrf.dat
  3. Delete unusual executables from the following folders:
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    • C:\Windows\All Users\Start Menu\Programs\Startup\
  4. Edit the registry
    • Delete the "SSK Service" value from
      1. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
        CurrentVersion\Run"
      2. "HKEY_CURRENT_USER\Software\Microsoft\Windows\
        CurrentVersion\Run"
  5. Reboot the system

McAfee ThreatScan Users :
A ThreatScan signature update has been posted to locate machines infected with the Sobig.e worm.

To update your ThreatScan signatures

1. From within ePO open the "Policies" tab.
2. Select "McAfee ThreatScan" and then select "Scan Options"
3. In the pane below click the "Launch AutoUpdater" button.
4. Using the default settings proceed through the dialogs that appear. Upon successful  completion of the update a message will appear stating that; update 2003-06-26 has completed  successfully.
5. From within ePO create a new "AutoUpdate on Agent(s)" task.
6. Go into the settings for this task and ensure that the host field is set to ftp.nai.com ,  the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields  are both set to ftp.  Note that "tsc20" in the above path is used for ThreatScan 2.0 and  2.1.  The correct path for ThreatScan 2.5 is "tsc25".
7. Launch this task against all agent machines.
8. When the task(s) complete information will be available in the "Task Status Details"  report.

After updating, do the following to find infected machines:
1. Create a new ThreatScan task.
2. Edit the settings of this task.
3. Edit the "Task option", "Host IP Range" to include all desired machines to scan.
4. Select the "Remote Infection Detection" category and "Windows Virus Checks" template.  
-or-
Select the "Other" category and "Scan All Vulnerabilities" template.
5. Launch the scan.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Sobig.E (F-Secure)

Characteristics

Characteristics -

-- Update June 25, 2003 --
This threat was upgraded to a Medium risk due to an increase in prevalence over the past few hours.

Stinger has been updated to detect and remove W32/Sobig.e@MM.

McAfee users are proactively protected from this new variant when using the 4266 DAT files, 4.2.40+ scan engine, and scanning compressed executables. The detection name is W32/Sobig. The 4273 DAT files will support 4.1.60 engine users and detected this variant as W32/Sobig.e@MM.

This variant is similar to W32/Sobig.d@MM. The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages. The virus is sent in a ZIP archive, allowing it to bypass extension blocking rules. However, this requires the end user to perform extra steps in order to actually execute the virus.

Mail Propagation

The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. With certain mail servers, this may result in the loss of a character from the remaining filename, thus attachments may have a ".ZI" extension (as opposed to ".ZIP").

Target email addresses are extracted from files on the victim machine with the following extensions:

  • WAB
  • DBX
  • HTM
  • HTML
  • EML
  • TXT

The worm may arrive in an email with the following characteristics:

Body: Please see the attached zip file for details.
Attachment: your_details.zip (which contains details.pif)

* Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is likely not a pointer to the infected user.

Share Propagation

The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible:

  • \Documents and Settings\All Users\Start Menu\Programs\Startup\
  • \Windows\All Users\Start Menu\Programs\Startup\

Installation

Upon execution, the worm drops the following files into the %windir% directory:

  • "winssk32.exe" (approx 85kB) (a copy of itself)
  • "msrrf.dat" (configuration file)

The following Registry keys are added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "SSK Service" = %WinDir%\winssk32.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "SSK Service" = %WinDir%\winssk32.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Self Updating

The worm listens on UDP ports 995-999 for updating instructions; remote site(s) to download updates from.

Symptoms

Symptoms -

- Presence of the file winssk32.exe in the WINDOWS (%WinDir%) directory
- System listening on UDP Ports 995 - 999

Method of Infection

Method of Infection -

This worm propagates via email and network shares.

Removal -

Removal -

Proactive protection is included in the released 4266 DAT files as W32/Sobig, but requires the 4.2.40+ scan engine and scanning of compressed executables. The 4273 DAT files detect this as W32/Sobig.e@MM with all supported scan engines.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the 4.1.60+ engine and 4273 DATs+.

Stinger has been updated to detect and remove W32/Sobig.e@MM.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:
  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - Terminate the process winssk32.exe
  2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
    • winssk32.exe
    • msrrf.dat
  3. Delete unusual executables from the following folders:
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    • C:\Windows\All Users\Start Menu\Programs\Startup\
  4. Edit the registry
    • Delete the "SSK Service" value from
      1. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
        CurrentVersion\Run"
      2. "HKEY_CURRENT_USER\Software\Microsoft\Windows\
        CurrentVersion\Run"
  5. Reboot the system

McAfee ThreatScan Users :
A ThreatScan signature update has been posted to locate machines infected with the Sobig.e worm.

To update your ThreatScan signatures

1. From within ePO open the "Policies" tab.
2. Select "McAfee ThreatScan" and then select "Scan Options"
3. In the pane below click the "Launch AutoUpdater" button.
4. Using the default settings proceed through the dialogs that appear. Upon successful  completion of the update a message will appear stating that; update 2003-06-26 has completed  successfully.
5. From within ePO create a new "AutoUpdate on Agent(s)" task.
6. Go into the settings for this task and ensure that the host field is set to ftp.nai.com ,  the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields  are both set to ftp.  Note that "tsc20" in the above path is used for ThreatScan 2.0 and  2.1.  The correct path for ThreatScan 2.5 is "tsc25".
7. Launch this task against all agent machines.
8. When the task(s) complete information will be available in the "Task Status Details"  report.

After updating, do the following to find infected machines:
1. Create a new ThreatScan task.
2. Edit the settings of this task.
3. Edit the "Task option", "Host IP Range" to include all desired machines to scan.
4. Select the "Remote Infection Detection" category and "Windows Virus Checks" template.  
-or-
Select the "Other" category and "Scan All Vulnerabilities" template.
5. Launch the scan.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A