Type
Win32 worm
Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2003 (3.67) release of Sophos Anti-Virus.
Sophos has received several reports of this worm from the wild.
Description
W32/Sobig-A is a worm that uses a built-in SMTP client and local Windows network shares to spread.
W32/Sobig-A arrives in an email with the following characteristics:
Subject line -chosen from:
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample
Attached file - chosen from:
Document003.pif
Sample.pif
Untitled1.pif
Movie_0074.pif
The worm searches the local hard drive for files with the extensions TXT, HTML, EML, HTM, WAB and DBX. The files are used to extract a list of recipient email addresses that will be used by the worm to send infected emails.
When the attachment is run, W32/Sobig-A copies itself into the Windows folder as Winmgm32.exe and creates a new process by running the file.
W32/Sobig-A creates the following registry values to run itself on Windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM
The worm connects to a website and attempts to download the file reteral.txt which contains a URL to another file. W32/Sobig-A then attempts to download and run the referenced file.
The worm also attempts to copy itself onto Windows shares of the local network if the folders Windows\All Users\Start Menu\Programs\StartUp or
Documents and Settings\All Users\Start Menu\Programs\Startup exist in a shared folder.
Recovery
Please read the instructions for removing worms.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to edit the following registry keys. The removal of these keys is optional in Windows 95/98/Me.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE key:
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\WindowsMGM
and delete it if it exists.
You will also need to edit the following registry key for each user who ran the virus. Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the key:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\WindowsMGM
and delete it if it exists.
Close the registry editor and reboot your computer.
Deleting the reteral.txt file
Search your computer for the reteral.txt file dropped by the worm and delete it. This is optional.
Checking network shares
You should scan other computers on your network for copies of the worm file if they have shared drives, 'Windows', or 'Documents and Settings' folders.
Reply With Quote