[Histonet] New virus - appears to be "sobig"

Jackie.O'Connor <@t> abbott.com Jackie.O'Connor <@t> abbott.com
Wed Aug 20 10:18:55 CDT 2003


I've received 100 of these from histonet with the subject line just as you 
describe!  Thanks for the information.

Jacqueline M. O'Connor HT(ASCP)
Abbott Laboratories
Global Pharmaceutical Research and Development
Discovery Chemotheraputics
847.938.4919
Fax 847.938.3266




"Marshall Terry Dr, Consultant Histopathologist" 
<Terry.Marshall <@t> rothgen.nhs.uk>
Sent by: histonet-admin <@t> lists.utsouthwestern.edu
08/20/2003 09:58 AM

 
        To:     "Adams, Sharon K." <SADAMS <@t> HCMHCARES.ORG>, "HistoNet Server" 
<histonet <@t> pathology.swmed.edu>
        cc: 
        Subject:        [Histonet] New virus - appears to be "sobig"


Virus Profile 
 
Virus Information 
Name: W32/Sobig.f <@t> MM 
Risk Assessment 
  - Home Users: High 
  - Corporate Users: Medium 
Date Discovered: 8/18/2003 
Date Added: 8/18/2003 
Origin: Unknown 
Length: approx 72,568 Bytes 
Type: Virus 
SubType: Internet Worm 
DAT Required: 4287 
 
  Quick Links 
Virus Characteristics 
Indications of Infection 
Method of Infection 
Removal Instructions 
Aliases 
 
 
Buy or Update 
 New Users Get Protected Now:
Buy VirusScan Online 
 
 Update VirusScan Online 
 
 
 
Virus Characteristics 
 
This detection is for a new variant of W32/Sobig. In common with previous 
variants, the worm is written in MSVC, and bears the following 
characteristics:

propagates via email, constructing outgoing messages with its own SMTP 
engine 
propagates over network shares (not confirmed in testing yet) 
Note: The worm carries garbage data appended to end of file, so exact 
filesize and file checksum may vary.

Installation 

The worm copies itself onto the victim machine as WINPPR32.EXE into 
%Windir%, for example:

C:\WINNT\WINPPR32.EXE 
A configuration file is also dropped to %Windir%:

C:\WINNT\WINSTT32.DAT 
The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc 
Mail Propagation 

The worm mails itself to email addresses harvested from the victim 
machine, using its own SMTP engine to construct outgoing messages. Target 
email addresses are harvested from files with the following extensions:

DBX 
HLP 
MHT 
WAB 
EML 
TXT 
HTM 
HTML 
Outgoing messages are constructed as follows:

Subject: 

Your details 
Thank you! 
Re: Thank you! 
Re: Details 
Re: Re: My details 
Re: Approved 
Re: Your application 
Re: Wicked screensaver 
Re: That movie 
Attachment: 

your_document.pif 
document_all.pif 
thank_you.pif 
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< the one we 
got(Terry)
your_details.pif 
details.pif 
document_9446.pif 
application.pif 
wicked_scr.scr 
movie0045.pif 
Body: 

See the attached file for details 
Please see the attached file for details 
The "From:" address may be spoofed with an address extracted from the 
victim machine. Therefore the perceived sender is most likely not a 
pointer to the infected user.

Contacting Remote NTP Servers 

The worm contains a list of IP addresses for remote NTP servers, to which 
it sends NTP packets (destination port 123).

Self-Termination 

In common with previous W32/Sobig variants, this variant contains a date 
triggered self-termination routine. If the date is September 10th 2003 or 
later, the worm will no longer propagate.
 
 
 
Indications of Infection 
 
Existence of the WINPPR32.EXE file in %WinDir% 
Existence of the Registry hooks detailed above 
Unexpected NTP traffic to remote servers 
 
 
 
Method of Infection 
 
This worm propagates via email (contains its own SMTP engine) and over 
network shares.
 
 
 
Removal Instructions 
 
DAT Files 
Detection is included in the 4287 DAT files. In addition to the DAT 
version requirements for detection, the specified engine version (or 
greater) must also be used. Alternatively, the following EXTRA.DAT 
packages are available (HOW TO use an EXTRA.DAT).. 

EXTRA.DAT - should be extracted to the same directory where CLEAN.DAT, 
NAMES.DAT, and SCAN.DAT are (typically C:\Program Files\Common 
Files\Network Associates\VirusScan Engine\4.0.xx) 
or

SUPER EXTRA.DAT - EXTRA.DAT self installer 
Stand Alone Remover 
Stinger has been updated to include detection/removal of this threat. 
Manual Removal Instructions 
To remove this virus "by hand", follow these steps: 

- Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as 
the Starting Windows text is displayed, choose Safe Mode. 
- WinNT/2K/XP - Terminate the process WINPPR32.EXE 
Delete the following files from your WINDOWS directory (typically 
c:\windows or c:\winnt) 
WINPPR32.EXE 
WINSTT32.DAT 
Edit the registry 
Delete the "TrayX" value from 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ 
Windows\CurrentVersion\Run 
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\ 
Windows\CurrentVersion\Run 
Additional Windows ME/XP removal considerations
 
 
 
Aliases 
 
W32.Sobig.F <@t> mm (NAV), WORM_SOBIG.F (Trend) 
 

Dr Terry L Marshall, B.A.(Law), M.B.,Ch.B.,F.R.C.Path
 Consultant Pathologist
 Rotherham General Hospital
 South Yorkshire
 England
        terry.marshall <@t> rothgen.nhs.uk

_______________________________________________
Histonet mailing list
Histonet <@t> lists.utsouthwestern.edu
http://lists.utsouthwestern.edu/mailman/listinfo/histonet


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.utsouthwestern.edu/pipermail/histonet/attachments/20030820/8d5fb66a/attachment.htm


More information about the Histonet mailing list