This new variant of the W32/Sobig virus was discovered on 18th June 2003.
The variant is detected as W32/Sobig.dam with the 4266 DATs (released 21st May 2003) or greater. McAfee customers who have updated to this version of DATs, or above, are therefore protected from this new variant. Precise identification as W32/Sobig.d@MM is provided in the 4272 DATs.
This worm bears strong similarities to W32/Sobig.c@MM. It propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.
Mail Propagation
The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.
Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename, which may result in file attachments with a ".PI" extension (as opposed to ".PIF").
The worm may arrive in an email bearing the following characteristics:
From:
admin@support.com * (could be any address, see note below)
Subject: (one of the following)
Application Ref: 456003
Re: Accepted
Re: App. 00347545-002
Re: Documents
Re: Movies
Re: Screensaver
Re: Your Application (Ref: 003844)
Your Application
Body: See the attached file for details
Attachment:
Note: As mentioned above, the file extension may be truncated by a character (eg. ".PI" instead of the intended .PIF).
accepted.pif
app003475.pif
application.pif
application844.pif
applications.pif
document.pif
movies.pif
ref_456.pif
screensaver.scr
* Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is most likely not a pointer to the infected user.
Share Propagation
The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible (and write access is satisfied):
\Documents and Settings\All Users\Start Menu\Programs\Startup\
\Windows\All Users\Start Menu\Programs\Startup\
Installation
Upon execution, the worm drops the following files into the %WinDir% directory:
CFRTB32.EXE (approx 59kB) (a copy of itself)
RSSP32.DAT (configuration file)
The following Registry keys are added to hook system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"SFtrb Service" = %WinDir%\CFRTB32.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"SFtrb Service" = %WinDir%\CFRTB32.EXE
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
Contacting Remote NTP Servers
The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination port 123).