Results 1 to 4 of 4

Thread: Sobig-A

  1. #1
    Senior Member
    Join Date
    Apr 2002


    another w32worm Sobig-A i searched the forms and couldnt find any thing on it so here it is


    Win32 worm
    A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2003 (3.67) release of Sophos Anti-Virus.

    Sophos has received several reports of this worm from the wild.

    W32/Sobig-A is a worm that uses a built-in SMTP client and local Windows network shares to spread.

    W32/Sobig-A arrives in an email with the following characteristics:

    Subject line -chosen from:
    Re: Movies
    Re: Sample
    Re: Document
    Re: Here is that sample

    Attached file - chosen from:

    The worm searches the local hard drive for files with the extensions TXT, HTML, EML, HTM, WAB and DBX. The files are used to extract a list of recipient email addresses that will be used by the worm to send infected emails.

    When the attachment is run, W32/Sobig-A copies itself into the Windows folder as Winmgm32.exe and creates a new process by running the file.

    W32/Sobig-A creates the following registry values to run itself on Windows startup:


    The worm connects to a website and attempts to download the file reteral.txt which contains a URL to another file. W32/Sobig-A then attempts to download and run the referenced file.

    The worm also attempts to copy itself onto Windows shares of the local network if the folders Windows\All Users\Start Menu\Programs\StartUp or
    Documents and Settings\All Users\Start Menu\Programs\Startup exist in a shared folder.
    Please read the instructions for removing worms.

    Windows NT/2000/XP

    In Windows NT/2000/XP you will also need to edit the following registry keys. The removal of these keys is optional in Windows 95/98/Me.

    At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

    Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

    Locate the HKEY_LOCAL_MACHINE key:


    and delete it if it exists.

    You will also need to edit the following registry key for each user who ran the virus. Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the key:

    HKU\[code number]\Software\Microsoft\Windows\

    and delete it if it exists.

    Close the registry editor and reboot your computer.

    Deleting the reteral.txt file

    Search your computer for the reteral.txt file dropped by the worm and delete it. This is optional.

    Checking network shares

    You should scan other computers on your network for copies of the worm file if they have shared drives, 'Windows', or 'Documents and Settings' folders.
    Heads up
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    The Great White North
    MessageLabs currently has this Virus sitting in the number 2 position of most active Viruses in the past 24 hours.

    View HERE


  3. #3
    Senior Member
    Join Date
    Feb 2002
    Prodikal, here is what the folks at Symantec have to say about Sobig.A :


  4. #4
    Senior Member
    Join Date
    Aug 2001
    and here I was all bored late on a Friday afternoon and this virus came sauntering in. Made for an interesting time

    We only had a couple of instances of this virus show up last Friday, I got rid of it fairly quickly, but was still fun.

    El Diablo

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts