[TheForge] New virus
Andrew Vida
[email protected]
Sat May 24 18:28:00 2003
I got this virus twice in the past two days. Here's the rap sheet
from Trend Micro:
Not Microsoft Support - WORM_SOBIG.B (Low Risk)
WORM_SOBIG.B propagates by using its own SMTP engine to mass-mail
copies of itself to other users. It runs on Windows 95, 98, ME, NT,
2000, and XP.
Upon execution, this worm drops a copy of itself in the Windows folder
as msccn32.exe, and creates a registry entry that allows to
automatically run at every Windows startup. It searches for recipient
addresses in files with the TXT, EML, HTML, HTM, DBX, WAB and sends
email with the following details:
From: [email protected]
Subject: (any of the following)
Approved (Ref: 38446-263)
Cool screensaver
Re: Approved (Ref: 3394-65467)
Re: Movie
Re: My application
Re: My details
Screensaver
Your details
Your password
Message Body:
All information is in the attached file.
Attachment: (any of the following)
application.pif
approved.pif
doc_details.pif
movie28.pif
password.pif
ref-394755.pif
screen_doc.pif
screen_temp.pif
your_details.pif
There are instances when the virus attachment arrives with the file
extension PI instead of PIF. This could be attributed to a bug in the
worm code, such that it generates outgoing emails that the receiving
email client is unable to process correctly. In this case, the
attachment will not run when double-clicked.
The worm also spreads a copy of itself to network shared drives by
copying itself to the following folders:
Documents and Settings\All Users\Start Menu\Programs\Startup
Windows\All Users\Start Menu\Programs\StartUp
It creates an event object named "Mnkx.X" that serves as a reference
to succeeding executions of the worm that already exist in memory. The
worm attempts to download data from www.geocities.com Web pages. It
checks the current system date and stops its malicious behavior when
the date is May 31, 2003 or later.
If you would like to scan your computer for WORM_SOBIG.B or thousands
of other worms, viruses, Trojans and malicious code, visit HouseCall,
Trend Micro's free, online virus scanner at:
http://housecall.trendmicro.com
WORM_SOBIG.B is detected and cleaned by Trend Micro pattern file
#541 and above.