Help & HowTo: Sobig.C

• Tags:
• Sobig.c,
• Mass-mailing Worm

Robert Vamosi CNET News

Published: 02 Jun 2003 16:13 BST

• 
• 
• 
• 
• 

Sobig.C is loose on the Internet and has spread to over 80 countries since its release on 31 May, 2003.

Sobig.C (w32.sobig.c@mm) is a variant of the Sobig worm and arrives by email with an attached file; it also spreads using shared network files.

Once executed, Sobig.C will attempt to send copies of itself via its own SMTP engine. It will also attempt to download Trojan-horse files from a Web site that has since been shut down. Sobig.C is self-terminating and will only spread until June 8, 2003. Because Sobig.C spreads via email and network share but doesn't damage system files, this worm rates a 4/10 on the ZDNet Virus Meter.

How it works
Sobig.C arrives via email or shared network file. The email appears to be from someone you might know, but this address is spoofed. The email's subject line may include one of the following:

Approved
Re: 45443-343556
Re: Application
Re: Approved
Re: Movie
Re: Screensaver
Re: Submited (004756-3463)
Re: Your application

The e-mail's attachment may have one of the following filenames:

45443.pif
application.pif
approved.pif
document.pif
documents.pif
movie.pif
screensaver.scr
submited.pif

In some cases, the extension might read .pi, not .pif.

This worm does not automatically execute -- you must open the attached file to become infected with Sobig.C. Upon execution, the worm adds the following files to the default Windows directory:

"mscvb32.exe" (approximately 50K; a copy of itself)
"msddr.dat" (configuration file)

Upon execution, the worm attempts to make the following changes to the system Registry so that the worm will load each time you start up your computer:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "System MScvb" = [Windows directory]\mscvb32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System MScvb" = [Windows directory]\mscvb32.exe

Sobig.C also spreads via shared network files. It attempts to copy itself to the following directories on remote systems:

\Documents and Settings\All Users\Start Menu\Programs\Startup\
\Windows\All Users\Start Menu\Programs\Startup\

Prevention In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Sobig.C. Sobig.C is set to expire on its own on June 8, 2003.

Removal Several antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, Messagelabs, Norman, Panda, Sophos, Symantec and Trend Micro.

---

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed

• Most Recent
• Most Popular