Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sobig.B@mm

Overview

Threat Risk HIGH HIGH
Destructivity NONE NONE
Payload
Detection files published 18 May 2003 03:00:00
Description created 18 May 2003 07:05:00
Description updated 26 May 2003 07:19:00
Malware type WORM
Alias W32.HLLW.Mankx@mm
W32/Palyh.A@mm
Spreading mechanism EMAIL
NETWORK
Summary None

W32/Sobig.B@mm

Spreading

When the worm is run, it will copy itself to the Windows directory under the name MSCCN32.EXE. It will also create a file called HNKS.INI in this directory.

It will now send itself to email addresses it finds in various sources from the infected user's machine. In addition it will enumerate network shares and copy itself to other machines on the local network.

Registry keys will be created to start the worm from bootup:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "System Tray=[WINDIR]\msccn32.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System Tray=[WINDIR]\msccn32.exe"

The worm will stop spreading, both on mail and on local networks, if local system time is more than May 31st 2003.

Infected emails are constructed from word lists.

Some possible subjects are:

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your passwords
Re: Approved (Ref:3394-65467)
Approved (Ref: 38446-263)

Some possible attachment names are:

application.pif
movie28.pif
screen_doc.pif
screen_temp.pif
doc_details.pif
password.pif
approved.pif
ref-394755.pif
your_details.pif

Note that the worm will oftem truncate the name so that the extension becomes *.pi.

Sender address is faked to seem to come from support@microsoft.com.

Payload Details

The worm attempts to download and execute some files from accounts on Geocities - these pages seem however to be largely down.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11