Results 1 to 2 of 2

Thread: New Sobig Variant

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002

    New Sobig Variant

    A new variant of Sobig (version D according to McAfee) is making its way around the Internet. It is still ranked as a Low-risk threat, but MessageLabs reported blocking a number of copies earlier today.

    Here is the info from McAfee:

    This new variant of the W32/Sobig virus was discovered on 18th June 2003.

    The variant is detected as W32/Sobig.dam with the 4266 DATs (released 21st May 2003) or greater. McAfee customers who have updated to this version of DATs, or above, are therefore protected from this new variant. Precise identification as W32/Sobig.d@MM is provided in the 4272 DATs.

    This worm bears strong similarities to W32/Sobig.c@MM. It propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.

    Mail Propagation

    The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

    Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename, which may result in file attachments with a ".PI" extension (as opposed to ".PIF").

    The worm may arrive in an email bearing the following characteristics:

    From: admin@support.com * (could be any address, see note below)
    Subject: (one of the following)

    Application Ref: 456003
    Re: Accepted
    Re: App. 00347545-002
    Re: Documents
    Re: Movies
    Re: Screensaver
    Re: Your Application (Ref: 003844)
    Your Application

    Body: See the attached file for details

    Note: As mentioned above, the file extension may be truncated by a character (eg. ".PI" instead of the intended .PIF).

    * Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is most likely not a pointer to the infected user.

    Share Propagation

    The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible (and write access is satisfied):

    \Documents and Settings\All Users\Start Menu\Programs\Startup\
    \Windows\All Users\Start Menu\Programs\Startup\

    Upon execution, the worm drops the following files into the %WinDir% directory:

    CFRTB32.EXE (approx 59kB) (a copy of itself)
    RSSP32.DAT (configuration file)
    The following Registry keys are added to hook system startup:

    "SFtrb Service" = %WinDir%\CFRTB32.EXE

    "SFtrb Service" = %WinDir%\CFRTB32.EXE
    (where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

    Contacting Remote NTP Servers

    The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination port 123).
    For more information you can visit this McAfee site: AVERT- W32/Sobig.d@MM

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Thanks Tony..

    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts