[Histonet] New virus - appears to be "sobig"

Marshall Terry Dr, Consultant Histopathologist Terry.Marshall <@t> rothgen.nhs.uk
Wed Aug 20 09:58:56 CDT 2003


Virus Profile 
 
Virus Information 
Name: W32/Sobig.f <@t> MM 
Risk Assessment   
  - Home Users: High 
  - Corporate Users: Medium 
Date Discovered: 8/18/2003 
Date Added: 8/18/2003 
Origin: Unknown 
Length: approx 72,568 Bytes 
Type: Virus 
SubType: Internet Worm 
DAT Required: 4287 
 
  Quick Links 
Virus Characteristics 
Indications of Infection 
Method of Infection 
Removal Instructions 
Aliases 
 
 
Buy or Update 
 New Users Get Protected Now:
Buy VirusScan Online 
 
 Update VirusScan Online 
 
 
 
Virus Characteristics  
 
This detection is for a new variant of W32/Sobig. In common with previous variants, the worm is written in MSVC, and bears the following characteristics:

propagates via email, constructing outgoing messages with its own SMTP engine 
propagates over network shares (not confirmed in testing yet) 
Note: The worm carries garbage data appended to end of file, so exact filesize and file checksum may vary.

Installation 

The worm copies itself onto the victim machine as WINPPR32.EXE into %Windir%, for example:

C:\WINNT\WINPPR32.EXE 
A configuration file is also dropped to %Windir%:

C:\WINNT\WINSTT32.DAT 
The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc 
Mail Propagation 

The worm mails itself to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files with the following extensions:

DBX 
HLP 
MHT 
WAB 
EML 
TXT 
HTM 
HTML 
Outgoing messages are constructed as follows:

Subject: 

Your details 
Thank you! 
Re: Thank you! 
Re: Details 
Re: Re: My details 
Re: Approved 
Re: Your application 
Re: Wicked screensaver 
Re: That movie 
Attachment: 

your_document.pif 
document_all.pif 
thank_you.pif <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< the one we got(Terry)
your_details.pif 
details.pif 
document_9446.pif 
application.pif 
wicked_scr.scr 
movie0045.pif 
Body: 

See the attached file for details 
Please see the attached file for details 
The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.

Contacting Remote NTP Servers 

The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination port 123).

Self-Termination 

In common with previous W32/Sobig variants, this variant contains a date triggered self-termination routine. If the date is September 10th 2003 or later, the worm will no longer propagate.
 
 
 
Indications of Infection  
 
Existence of the WINPPR32.EXE file in %WinDir% 
Existence of the Registry hooks detailed above 
Unexpected NTP traffic to remote servers 
 
 
 
Method of Infection  
 
This worm propagates via email (contains its own SMTP engine) and over network shares.
 
 
 
Removal Instructions  
 
DAT Files 
Detection is included in the 4287 DAT files. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used. Alternatively, the following EXTRA.DAT packages are available (HOW TO use an EXTRA.DAT).. 

EXTRA.DAT - should be extracted to the same directory where CLEAN.DAT, NAMES.DAT, and SCAN.DAT are (typically C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx) 
or

SUPER EXTRA.DAT - EXTRA.DAT self installer 
Stand Alone Remover 
Stinger has been updated to include detection/removal of this threat. 
Manual Removal Instructions 
To remove this virus "by hand", follow these steps: 

- Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode. 
- WinNT/2K/XP - Terminate the process WINPPR32.EXE 
Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt) 
WINPPR32.EXE 
WINSTT32.DAT 
Edit the registry 
Delete the "TrayX" value from 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ 
Windows\CurrentVersion\Run 
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\ 
Windows\CurrentVersion\Run 
Additional Windows ME/XP removal considerations
 
 
 
Aliases  
 
W32.Sobig.F <@t> mm (NAV), WORM_SOBIG.F (Trend) 
 

Dr Terry L Marshall, B.A.(Law), M.B.,Ch.B.,F.R.C.Path
 Consultant Pathologist
 Rotherham General Hospital
 South Yorkshire
 England
        terry.marshall <@t> rothgen.nhs.uk




More information about the Histonet mailing list