F-Secure: Be Sure

Select local site

F-Secure Virus Descriptions : Sobig.C

NAME:

Sobig.C

UPDATE (2003-06-08 12:00 GMT)

F-Secure is downgrading the alert level on Sobig.C since it reached its deadline.

The worm only spread until 8th of June, 2003 which makes it inactive after this date. Some machines might continue to send infected e-mail around even after the end of May only if the system time settings are incorrect.

UPDATE (2003-06-02 11:00 GMT)

F-Secure is raising the alert level on Sobig.C worm to level 1. The worm has gone worldwide and it has been seen in more than 84 countries. Two earlier versions of Sobig caused very large outbreaks.

F-Secure has created a special removal tool to remove the active Sobig.C infection and all its traces. For more details, see at the bottom of the description.

UPDATE (2003-06-01 10:30 GMT)

A new variant of the Sobig worm (Sobig.C) is spreading in the wild. It arrives in PIF and SCR attachments in emails coming from several faked addresses, for example from "bill@microsoft.com".

The Sobig.C worm was found in the wild late in the evening on 31st of May, 2003. On June 1st 2003 the worm increased its spreading in several countries. Detection of the worm has been published.

Technical details

The worm copies itself to the Windows folder as

 mscvb32.exe

and adds the following registry key:

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 System MScvb = %WindowsDir%\mscvb32.exe

so that it's launched every time Windows starts.

Worm's life span

The worm will stop spreading if the computer's date is set to 8th of June of 2003 or later.

Mass mailing

This variant of the worm no longer uses a fixed address as sender. It also uses addresses collected from the user's machine. So messages might appear to come from know people completely unaware and not necessary infected by the worm.

Receiving the worm from a given address doesn't imply that the sender corresponding to the address is infected.

As well, error messages might be received, as if the user had sent an infected message from his/her computer. This is a result of the worm sending itself from faked addresses to erroneous ones. The user whose address has been faked will received this errors. Those messages can be safely ignored.

Message subjects are chosen from:

 Re: Screensaver
 Re: Movie
 Re: Submited (004756-3463)
 Re: 45443-343556
 Re: Approved
 Approved
 Re: Your application
 Re: Application

Attachment names are chosen from:

 screensaver.scr
 movie.pif
 submited.pif
 45443.pif
 documents.pif
 approved.pif
 application.pif
 document.pif

The body of the messages is always fixed:

 Please see the attached file.

Gathers e-mail addresses from files with extensions:

 '.wab'
 '.dbx'
 '.htm'
 '.html'
 '.eml'
 '.txt'

Local Area Network propagation.

It also tries to infect computers with open shares, copying itself to the following locations:

 Windows\All Users\Start Menu\Programs\Startup\

 Documents and Settings\All Users\Start Menu\Programs\Startup

These are the default startup folders for Windows 9x and NT/XP based systems. If the worm is copied there Windows will run it next time the user logs in. This way the system gets infected.

Backdoor downloader

The worm also attempts to download components from several URLs hard-coded inside the worm's body. At the time of this writing the URLs have been taken down.

Detection

F-Secure Anti-Virus detects Sobig.C worm with the updates published on June 1st, 2003:

Version=2003-06-01_01

Removal

F-Secure has created a special removal tool to remove the active Sobig.C infection and all its traces. The tool is available from

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.zip

Instructions for the removal are in

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.txt

[F-Secure Anti-Virus Research Team, May 31st - June 8th 2003]