Win32:Sobig-E

is again a successor of the previous Win32:Sobig variants. Similar to the previous worms, it's spreading is time limited - in this case it stops to spread on July 14th 2003.

When executed, the worm drops two files in the %WINDOWS% folder:
winssk32.exe (86528 bytes long file holding copy of the worm)
msrrf.dat (data file)
and adds the item "SSK Service" with value "%WINDOWS%\winssk32.exe" to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
(the second key is used only on Windows NT, 2000 or XP).

Note: %WINDOWS% is a folder where the Windows system is installed. It's usually C:\Windows on Windows 95, 98, ME or XP, or C:\WinNT on Windows NT or 2000. Those folder names are default, but user can decide for any other name at Windows system installation.

The worm spreads through two channels - e-mail and shared folders. It contains its own SMTP engine for e-mail propagation.

Infected mails have one of the "Subject:" fields:
004448554.pif
Application.pif
Applications.pif
movie.pif
new document.pif
Re: Application
Re: document.pif
Re: Documents
Re: Movie
Re: Movies
Re: Re: Application ref 003644
Re: Re: Document
Re: Screensaver
Re: Submitted
Referer.pif
Screensaver.scr
submited.pif
Your application

In the mail body is the sentence Please see the attached zip file for details.. Attachment can have on of those names:
application.zip
document.zip
movie.zip
your_details.zip
screensaver.zip

Due small violation of Internet standard for naming of mail attachments (maybe a bug), in some mail clients might have .ZI extension rather then *.ZIP.

The worm spoofs "From:" address - it might be anything. The "From:" address visible in the infected mail usually hasn't any connection to the infected mail source. The worm searches for mail address for spreading in the files with extensions DBX, EML, HTM, HTML, TXT and WAB.

The worm searches for the folders
\Documents and Settings\All Users\Start Menu\Programs\Startup
\Windows\All Users\Start Menu\Programs\Startup
on network shares and tries to copy itself to them.

Removal:
To remove this virus please use our free avast! Virus Cleaner.

avast! with VPS file dated on or after 25th June 2003 is able to detect this worm.

Viry
Hlášení o viru Viry in the Wild Souhrn z hlášení Windows viry Starší windows viry 2002 Starší windows viry 2001 Starší windows viry 2000 Script viry Macro viry Testovací soubor EICAR Historie VPS
Zasílání informací
informace o standardní VPS
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Domovská stránka
Viry  windows viry  Win32:Sobig-E