Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sobig.F@mm

Overview

Threat Risk HIGH HIGH
Destructivity NONE NONE
Payload
Detection files published 18 Aug 2003 03:00:00
Description created 19 Aug 2003 01:22:00
Description updated 21 Aug 2003 12:21:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Sobig.F@mm

Spreading

The email will have the following characteristics:


Possible subject lines:

Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie

Possible body text:

See the attached file for details
Please see the attached file for details.

Possible attachment names:

your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif


When run, it will copy itself to the Windows directory under the name winppr32.exe. It creates the registry keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run "TrayX"="[WINDIR]\winppr32.exe /sinc".
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "TrayX"="[WINDIR]\winppr32.exe /sinc".

This enables it to run from startup.

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:12