Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sobig.A@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Attempts to download a backdoor trojan
Detection files published 09 Jan 2003 03:00:00
Description created 10 Jan 2003 08:37:00
Description updated 26 Feb 2003 03:47:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

W32/Sobig.A@mm

Spreading

When the worm is first run, it will copy itself to the Windows directory using the name WINMGM32.EXE. A registry key will be created to make sure the worm is run from bootup:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run WindowsMGM = WINMGM32.EXE

It will now search through local files and address books for email addresses to send itself to.
Subject will be one of the following: Re: Movies
Re: Sample
Re: Document
Re: Here is that sample
Attachment name will be one of the following: Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif

The worm also attempts to copy itself over network shares to the following directories:


\Windows\All Users\Start Menu\Programs\StartUp\
and
\Documents and Settings\All Users\Start Menu\Programs\Startup\

Payload Details

The worm attempts to download a file from www.geocities.com. This file is at the moment just a text file containing an URL reference to another file located at another server in the US. This second file is a backdoor trojan, which will be downloaded and executed by the worm.


Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14