Content

W32/Sobig.a@MM

Type
Virus
SubType
E-mail worm
Discovery Date
01/09/2003
Length
65,536 bytes (tElock packed)
Minimum DAT
4242 (01/11/2003)
Updated DAT
4296 (10/01/2003)
Minimum Engine
5.1.00
Description Added
01/09/2003
Description Modified
10/17/2003 2:37 PM (PT)
Risk Assessment
Corporate User
Medium
Home User
Medium

Tab Navigation

Characteristics

-- Update January 15, 2003 --
This threat was downgraded due a decrease in prevalence over the past 24 hours.

-- Update January 14, 2003 --
It was discovered that in some cases the virus attachment may arrive with a filename having ".PI" extension instead of ".PIF" (it would not get run if double-clicked on, of course). This extension is added to the default list in 4243 DATs.

-- Update January 11, 2003 --
This threat was upgraded to a Medium risk due an increase in prevalence over the past 36 hours.

-- Update January 10, 2003 --
This threat is considered to be Low-Profiled due to the The Inquirer article Four viral worms spreading across the Windows Web

This worm is written in MSVC and attempts to spread via network shares and email. The worm contains its own SMTP engine.

Email Propagation

Outgoing messages are formatted as follows:

From: big@boss.com
Subject: One of the following:
  • Re: Movies
  • Re: Sample
  • Re: Document
  • Re: Here is that sample
Attachment: 65,536 bytes with one of the following filenames:
  • Movie_0074.mpeg.pif
  • Document003.pif
  • Untitled1.pif
  • Sample.pif

Email addresses may be harvested from files on the victim machine with the following extensions:

  • WAB
  • DBX
  • HTM
  • HTML
  • EML
  • TXT

Network Propagation

The worm enumerates shares on the network, intending to copy itself to one of the following folders on remote machines:

\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP

or

\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP

Symptoms

  • Existence of the file WINMGM32.EXE in the Windows directory, file size 65,536 bytes.
  • Existence of the file SNTMLS.DAT in the Windows directory
  • Existence of the file DWN.DAT in the Windows directory

Method of Infection

At least one field sample AVERT has received was dropped by a multidropper package. This package dropped two files - a pornographic image (which is displayed) and the worm. The multidropper package is detected as MultiDropper-FB with the 4242 DATs.

When run the worm installs itself into the Windows directory as WINMGM32.EXE. Two registry hooks are added to hook system startup, for example:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM" = C:\WINDOWS\winmgm32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM" = C:\WINDOWS\winmgm32.exe

Email addresses harvested from the local machine are written to the file (confirmed via field reports, not observed in testing):

%WinDir%\SNTMLS.DAT

The worm retrieves a text file from a Geocities user page(http://www.geocities.com/reteras). At the time of writing, this file contained a single URL:

http://www.doesnotexist.com/blah.txt

If retrieved successfully, this URL is written to the file %WinDir%\DWN.DAT.

Since analysis started, the URL has been updated, and references a remote PE file which the worm subsequently attempts to download. This file is detected as BackDoor-AOT with the 4242 DATs.

The worm contains the string:

Worm.X

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.Sobig (AVP)
  • W32.Sobig.A@mm (Symantec)
  • W32/Sobig (Panda)
  • W32/Sobig-A (Sophos)
  • W32/Sobig@MM
  • Win32.Sobig (CA)
  • WORM_SOBIG.A (Trend)

Characteristics

Characteristics -

-- Update January 15, 2003 --
This threat was downgraded due a decrease in prevalence over the past 24 hours.

-- Update January 14, 2003 --
It was discovered that in some cases the virus attachment may arrive with a filename having ".PI" extension instead of ".PIF" (it would not get run if double-clicked on, of course). This extension is added to the default list in 4243 DATs.

-- Update January 11, 2003 --
This threat was upgraded to a Medium risk due an increase in prevalence over the past 36 hours.

-- Update January 10, 2003 --
This threat is considered to be Low-Profiled due to the The Inquirer article Four viral worms spreading across the Windows Web

This worm is written in MSVC and attempts to spread via network shares and email. The worm contains its own SMTP engine.

Email Propagation

Outgoing messages are formatted as follows:

From: big@boss.com
Subject: One of the following:
  • Re: Movies
  • Re: Sample
  • Re: Document
  • Re: Here is that sample
Attachment: 65,536 bytes with one of the following filenames:
  • Movie_0074.mpeg.pif
  • Document003.pif
  • Untitled1.pif
  • Sample.pif

Email addresses may be harvested from files on the victim machine with the following extensions:

  • WAB
  • DBX
  • HTM
  • HTML
  • EML
  • TXT

Network Propagation

The worm enumerates shares on the network, intending to copy itself to one of the following folders on remote machines:

\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP

or

\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP

Symptoms

Symptoms -

  • Existence of the file WINMGM32.EXE in the Windows directory, file size 65,536 bytes.
  • Existence of the file SNTMLS.DAT in the Windows directory
  • Existence of the file DWN.DAT in the Windows directory

Method of Infection

Method of Infection -

At least one field sample AVERT has received was dropped by a multidropper package. This package dropped two files - a pornographic image (which is displayed) and the worm. The multidropper package is detected as MultiDropper-FB with the 4242 DATs.

When run the worm installs itself into the Windows directory as WINMGM32.EXE. Two registry hooks are added to hook system startup, for example:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM" = C:\WINDOWS\winmgm32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM" = C:\WINDOWS\winmgm32.exe

Email addresses harvested from the local machine are written to the file (confirmed via field reports, not observed in testing):

%WinDir%\SNTMLS.DAT

The worm retrieves a text file from a Geocities user page(http://www.geocities.com/reteras). At the time of writing, this file contained a single URL:

http://www.doesnotexist.com/blah.txt

If retrieved successfully, this URL is written to the file %WinDir%\DWN.DAT.

Since analysis started, the URL has been updated, and references a remote PE file which the worm subsequently attempts to download. This file is detected as BackDoor-AOT with the 4242 DATs.

The worm contains the string:

Worm.X

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A