[Histonet] New virus - appears to be "sobig"
Jackie.O'Connor <@t> abbott.com
Jackie.O'Connor <@t> abbott.com
Wed Aug 20 10:18:55 CDT 2003
I've received 100 of these from histonet with the subject line just as you
describe! Thanks for the information.
Jacqueline M. O'Connor HT(ASCP)
Abbott Laboratories
Global Pharmaceutical Research and Development
Discovery Chemotheraputics
847.938.4919
Fax 847.938.3266
"Marshall Terry Dr, Consultant Histopathologist"
<Terry.Marshall <@t> rothgen.nhs.uk>
Sent by: histonet-admin <@t> lists.utsouthwestern.edu
08/20/2003 09:58 AM
To: "Adams, Sharon K." <SADAMS <@t> HCMHCARES.ORG>, "HistoNet Server"
<histonet <@t> pathology.swmed.edu>
cc:
Subject: [Histonet] New virus - appears to be "sobig"
Virus Profile
Virus Information
Name: W32/Sobig.f <@t> MM
Risk Assessment
- Home Users: High
- Corporate Users: Medium
Date Discovered: 8/18/2003
Date Added: 8/18/2003
Origin: Unknown
Length: approx 72,568 Bytes
Type: Virus
SubType: Internet Worm
DAT Required: 4287
Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases
Buy or Update
New Users Get Protected Now:
Buy VirusScan Online
Update VirusScan Online
Virus Characteristics
This detection is for a new variant of W32/Sobig. In common with previous
variants, the worm is written in MSVC, and bears the following
characteristics:
propagates via email, constructing outgoing messages with its own SMTP
engine
propagates over network shares (not confirmed in testing yet)
Note: The worm carries garbage data appended to end of file, so exact
filesize and file checksum may vary.
Installation
The worm copies itself onto the victim machine as WINPPR32.EXE into
%Windir%, for example:
C:\WINNT\WINPPR32.EXE
A configuration file is also dropped to %Windir%:
C:\WINNT\WINSTT32.DAT
The following Registry keys are added to hook system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc
Mail Propagation
The worm mails itself to email addresses harvested from the victim
machine, using its own SMTP engine to construct outgoing messages. Target
email addresses are harvested from files with the following extensions:
DBX
HLP
MHT
WAB
EML
TXT
HTM
HTML
Outgoing messages are constructed as follows:
Subject:
Your details
Thank you!
Re: Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Attachment:
your_document.pif
document_all.pif
thank_you.pif
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< the one we
got(Terry)
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
Body:
See the attached file for details
Please see the attached file for details
The "From:" address may be spoofed with an address extracted from the
victim machine. Therefore the perceived sender is most likely not a
pointer to the infected user.
Contacting Remote NTP Servers
The worm contains a list of IP addresses for remote NTP servers, to which
it sends NTP packets (destination port 123).
Self-Termination
In common with previous W32/Sobig variants, this variant contains a date
triggered self-termination routine. If the date is September 10th 2003 or
later, the worm will no longer propagate.
Indications of Infection
Existence of the WINPPR32.EXE file in %WinDir%
Existence of the Registry hooks detailed above
Unexpected NTP traffic to remote servers
Method of Infection
This worm propagates via email (contains its own SMTP engine) and over
network shares.
Removal Instructions
DAT Files
Detection is included in the 4287 DAT files. In addition to the DAT
version requirements for detection, the specified engine version (or
greater) must also be used. Alternatively, the following EXTRA.DAT
packages are available (HOW TO use an EXTRA.DAT)..
EXTRA.DAT - should be extracted to the same directory where CLEAN.DAT,
NAMES.DAT, and SCAN.DAT are (typically C:\Program Files\Common
Files\Network Associates\VirusScan Engine\4.0.xx)
or
SUPER EXTRA.DAT - EXTRA.DAT self installer
Stand Alone Remover
Stinger has been updated to include detection/removal of this threat.
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
- Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as
the Starting Windows text is displayed, choose Safe Mode.
- WinNT/2K/XP - Terminate the process WINPPR32.EXE
Delete the following files from your WINDOWS directory (typically
c:\windows or c:\winnt)
WINPPR32.EXE
WINSTT32.DAT
Edit the registry
Delete the "TrayX" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Additional Windows ME/XP removal considerations
Aliases
W32.Sobig.F <@t> mm (NAV), WORM_SOBIG.F (Trend)
Dr Terry L Marshall, B.A.(Law), M.B.,Ch.B.,F.R.C.Path
Consultant Pathologist
Rotherham General Hospital
South Yorkshire
England
terry.marshall <@t> rothgen.nhs.uk
_______________________________________________
Histonet mailing list
Histonet <@t> lists.utsouthwestern.edu
http://lists.utsouthwestern.edu/mailman/listinfo/histonet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.utsouthwestern.edu/pipermail/histonet/attachments/20030820/8d5fb66a/attachment.htm
More information about the Histonet
mailing list