W32.Sobig.B@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in the files with the following extensions:
- .wab
- .dbx
- .htm
- .html
- .eml
- .txt
Refer to the Technical Details section of this writeup for the characteristics of the email message.
The worm is also network aware. It enumerates the network resources and copies itself to the following folders on other computers to which it has access:
- Windows\All Users\Start Menu\Programs\StartUp
- Documents and Settings\All Users\Start Menu\Programs\Startup
NOTES:
- The worm deactivates on May 31, 2003, and therefore, the last day on which the worm will spread is May 30, 2003.
- Virus definitions dated prior May 19, 2003 may detect this threat as W32.HLLW.Mankx@mm.
Symantec Security Response has created a tool to remove W32.Sobig.B@mm. Click here to obtain the tool.
Also Known As: W32.HLLW.Mankx@mm, W32/Palyh@MM [McAfee], W32/Palyh-A [Sophos], I-Worm.Palyh [KAV], WORM_PALYH.A [Trend], Win32.Palyh.A [CA]
Type: Worm
Infection Length: 52,898 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
When W32.Sobig.B@mm is executed, it performs the following actions:
1. Copies itself as %Windir%\msccn32.exe.
NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
2. Creates the following files:
- %Windir%\hnks.ini
- %Windir%\msdbrr.ini
3. Adds the value:
"System Tray"="%Windir%\msccn32.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that W32.Sobig.B@mm runs when you start Windows.
4. If the operating system is Windows NT/2000/XP, then the worm will also add the value:
"System Tray"="%Windir%\msccn32.exe"
to the registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5. Enumerates the Network Resources and copies itself to the following folders:
- Windows\All Users\Start Menu\Programs\StartUp
- Documents and Settings\All Users\Start Menu\Programs\Startup
6. Attempts to download data from four different GeoCities Web pages. The addresses of these Web pages are stored in the aforementioned .ini files.
Email Routine Details
W32.Sobig.B@mm uses its own SMTP engine to email itself to all the contacts it finds in the files with the following file extensions:
- .wab
- .dbx
- .htm
- .html
- .eml
- .txt
technical details
The email message has the following characteristics:
From: support@microsoft.com
Subject: The subject line will be one of the following:
- Your details
- Approved (Ref: 38446-263)
- Re: Approved (Ref: 3394-65467)
- Your password
- Re: My details
- Screensaver
- Cool screensaver
- Re: Movie
- Re: My application
Message Body: All information is in the attached file.
Attachment: The attachment name will be one of the following:
- your_details.pif
- ref-394755.pif
- pproved.pif
- password.pif
- doc_details.pif
- screen_temp.pif
- screen_doc.pif
- movie28.pif
- application.pif
