Help & HowTo: Sobig.e worm
Published: 26 Jun 2003 10:20 BST
The latest in a family of Sobig worms is loose on the Internet.
Sobig.e (w32.sobig.e@mm) arrives by email with an attached file and also spreads using shared network files. Unlike previous variations of Sobig, this one uses subject headings borrowed from Sobig.c and only one attached filename, making it somewhat easier to recognize. Sobig.e affects only Windows users.
Once executed, however, Sobig.e will attempt to send copies of itself via its own SMTP engine. It will also attempt to download Trojan horse files from a Web site. Sobig.e is self-terminating and will spread only until 14 July, 2003. Because Sobig.e spreads via email and network share and may steal personal information such as passwords, this worm rates a 6 on the ZDNet Virus Meter
How it works
Sobig.e arrives via email or shared network file. The email message appears to be from someone you might know, but this address is spoofed. The email's subject line may include one of the following:
Application Ref: 456003
Your application
Re: Re: Document
Re: Re: Application ref. 003644
Re: Documents
Re: Screensaver
Re: Submited (Ref: 003746)
Re: Movies
Re: Movie
Re: Application
The attached file is your_details.zip. Since ZIP files are ignored by most extension-blocking rules within email clients, you should not attempt to open this file. Some copies of Sobig.e sent from infected machines may produce attached files with only a .zi extension.
The body text for Sobig.e may also read "Please see the attached zip file for details."
This worm does not automatically execute. Therefore, you must open the attached file to become infected with Sobig.e. Upon execution, the worm adds the following files to the default Windows directory:
WinSSK32.EXE (Copy of the worm)
MSRRF.DAT (configuration file)
Upon execution, the worm will search for saved files with these extensions looking for email addresses embedded within:
TXT
EML
HTML
HTM
DBX
WAB
Sobig.e may contain a list of NT servers and opens a port (port 123) to send packets to those servers.
Removal
A few antivirus software companies have already updated their signature files to include this worm. This will stop the infection upon contact and in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, McAfee, MessageLabs, Norman, Panda, Sophos, and Symantec
Let the editors know what you think in the Mailroom.
Did you find this article useful?
53 out of 91 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
