View previous topic :: View next topic |
Author |
Message |
Rottz Just Arrived
Joined: 29 Mar 2003 Posts: 3 Location: East Coast, USA
|
Posted: Wed Jun 25, 2003 9:56 pm Post subject: W32/Sobig.E-mm |
|
|
From MessageLabs at Wed, 25 Jun 2003 15:35:13 GMT
On 25th June 2003, MessageLabs the email security company intercepted several copies of a mass-mailing virus which appeared to be a variant of W32/Sobig.C-mm, and was later identified as W32/Sobig.E-mm. The initial copies all originated from the United States.
Name: W32/Sobig.E-mm
Number of copies intercepted so far: 99627
Time & Date first Captured: 25th June 2003 07:43GMT
Origin of first intercepted copy: United States
Countries stopped in: 131
Peak infection ratio: 1 / 325
Stats as of Fri Jun 27 21:55:28 EDT 2003
More Info: W32/Sobig.E-mm
--------------------------------------------------------------------------------------
Details from Sophos.com at Wed, 25 Jun 2003 17:40:21 +0100 (BST)
This worm arrives via email and attempts to travel via network shares. The worm sends itself as an attachment to email addresses collected from infected computers.
A typical email has the following format:
Subject line: Chosen from -- Re: Application
- Re: Movie
- Re: Movies
- Re: Submited (Ref: 003746)
- Re: Screensaver
- Re: Documents
- Re: Re: Application ref. 003644
- Re: Re: Document
- Your application
- Application.pif
- Applications.pif
- movie.pif
- screensaver.scr
- submited.pif
- new_document.pif
- re.document.pif
- 004448554.pif
- referer.pif
Message text:
Please see the attached zip file for details
Attached file: One of -- your_details.zip (containing details.pif)
- application.zip (containing application.pif)
- document.zip (containing document.pif)
- screensaver.zip (containing sky_world.scr)
- Movie.zip (containing Movie.pif)
W32/Sobig-E may spoof the From field of the sent emails using the email address support@yahoo.com or addresses collected from the user's computer.
When run W32/Sobig-E copies itself into the Windows folder as winssk32.exe and sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSK Service
= <Windows folder>\winssk32.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSK Service
= <Windows folder>\winssk32.exe
W32/Sobig-E will not spread if the date is 14th July or later.
More Info: W32/Sobig-E
-------------------------------------------------------------------------------------
From [url]Avertlabs.com[/url] at Wed, 25 Jun 2003 13:35:40 -0500
Advisory
This is a Medium Virus Advisory for W32/Sobig.e@MM worm.
Justification
W32/Sobig.e@MM has been deemed Medium due to prevalence.
Read About It
Information about W32/Sobig.e@MM is located on VIL at:
http://vil.nai.com/vil/content/v_100429.htm
If you suspect you have W32/Sobig.e@MM, please submit a sample to http://www.webimmune.net
-------------------------------------------------------------------------------------
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
- - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- WinNT/2K/XP - [url=vil.nai.com/vil/systemhelpdocs/endtask.htm]Terminate the process[/url] winssk32.exe
- Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
- Delete unusual executables from the following folders:
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
- C:\Windows\All Users\Start Menu\Programs\Startup\
- [url=vil.nai.com/vil/SystemHelpDocs/Regedit.htm]Edit the registry[/url]
- Delete the "SFtrb Service" value from
- "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run"
- "HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run"
- Reboot the system
[url=vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm]Additional Windows ME/XP removal considerations[/url]
-------------------------------------------------------------------------------------
From Kaspersky Lab
Some interesting info the other vendors didn't mention.
Sobig.e is a worm virus spreading via the Internet as a file attached to infected emails. The Sobig.e worm also spreads through open network shares.
The worm itself is a Windows PE EXE file that is written in Microsoft Visual C++ and is compressed by the TeLock utility. Its file sizes are typically around 80K and above when compressed(TeLock), while its decompressed size is about 130K.
Separating Sobig.e from its four predecessors is its use of the Zip file format, what it does after system infection is virtual identical to past Sobig variants.
Spreading: via network
The worm takes note of all accessible network resources (other computers in a network) and copies itself to the auto-start directoris (if there are such subdirectories) of each resource (computer) found.
Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\
Updating
The worm opens network connections on ports 995, 996, 997, 998, and 999, and then takes commands from its "master", and receives data from its "master". The data comes in the form of some URLs. The worm downloads files from these URLs and executes them. As a result the worm is able to "upgrade" itself with new versions, and/or to install other applications (trojan programs for example).
More Info: I-Worm.Sobig.e
--------------------------------------------------------------------------------------
Other Virus Vendors:
Virus in the News:
Last edited by Rottz on Wed Aug 13, 2003 8:22 pm; edited 6 times in total |
|
Back to top |
|
|
Rottz Just Arrived
Joined: 29 Mar 2003 Posts: 3 Location: East Coast, USA
|
Posted: Thu Jun 26, 2003 5:12 am Post subject: W32.Sobig.E@mm Removal Tool |
|
|
W32.Sobig.E@mm Removal Tool
Symantec Security Response has developed a removal tool to clean the [url=securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e%40mm.html]W32.Sobig.E@mm[/url] infections.
What the tool does
The W32.Sobig.E@mm Removal Tool does the following:- Terminates the W32.Sobig.E@mm viral processes.
- Deletes the W32.Sobig.E@mm files.
- Deletes the dropped files.
- Deletes the registry values that the worm added.
Obtaining and running the tool
NOTE: You need administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.
- Download the FixSbige.exe file from:
http://securityresponse.symantec.com/avcenter/FixSbigE.exe
- Save the file to a convenient location, such as your downloads folder or the Windows Desktop (or removable media that is known to be uninfected, if possible).
- To check the authenticity of the digital signature, refer to the section, "Digital signature."
- Close all the running programs before running the tool.
- If you are on a network or you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
- If you are running Windows Me or XP, then disable System Restore. Refer to the section, "System Restore option in Windows Me/XP," for additional details.
CAUTION: If you are running Windows Me/XP, we strongly recommend that you do not skip this step. The removal procedure may be unsuccessful if Windows Me/XP System Restore is not disabled, because Windows prevents outside programs from modifying System Restore.
- Double-click the FixSbige.exe file to start the removal tool.
- Click Start to begin the process, and then allow the tool to run.
NOTE: If, when running the tool, you see a message that the tool was not able to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and wait 30 seconds. Restart the computer in Safe mode and run the tool again. All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions, read the document "[url=service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406]How to start the computer in Safe Mode[/url]."
- Restart the computer.
- Run the removal tool again to ensure that the system is clean.
- If you are running Windows Me/XP, then re-enable System Restore.
- Run LiveUpdate to make sure that you are using the most current virus definitions.
When the tool has finished running, you will see a message indicating whether W32.Sobig.E@mm infected the computer. In the case of a worm removal, the program displays the following results:- Total number of the scanned files
- Number of deleted files
- Number of terminated viral processes
- Number of fixed registry entries
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:- [url=service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239]How to disable or enable Windows Me System Restore[/url].
- [url=service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039]How to turn off or turn on Windows XP System Restore[/url].
For additional information and an alternative to disabling Windows Me System Restore, read the Microsoft Knowledge Base article, "[url=support.microsoft.com/default.aspx?scid=kb;EN-US;q263455]Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Q263455)[/url]."
source: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e%40mm.removal.tool.html
|
|
Back to top |
|
|
effortless Just Arrived
Joined: 13 Feb 2003 Posts: 8 Location: grounded
|
Posted: Sun Jun 29, 2003 6:56 pm Post subject: |
|
|
I had 3 instances of sobig the other day from different sources. I also had one on operamail which is totally unconnected with any of my other identities. It must be getting pushed out big time so look out .
|
|
Back to top |
|
|
QueenB Just Arrived
Joined: 27 Jun 2003 Posts: 0 Location: CT
|
Posted: Mon Jun 30, 2003 2:34 pm Post subject: |
|
|
should i send out an email to the company stating the facts above ( the name of emails......) the last one like this we got hit with and it too 4 hours to get it out ( took the network down) it was a pain.
|
|
Back to top |
|
|
Giro New Member
Joined: 25 Mar 2004 Posts: 22 Location: England
|
Posted: Mon Jun 30, 2003 2:46 pm Post subject: |
|
|
Wouldnt you be safe if you have a up2date anti-virus/Dont just open attachments. And use good passwords on your shares.
|
|
Back to top |
|
|
effortless Just Arrived
Joined: 13 Feb 2003 Posts: 8 Location: grounded
|
Posted: Fri Jul 04, 2003 12:51 am Post subject: |
|
|
Ol Man wrote: |
Wouldnt you be safe if you have a up2date anti-virus/Dont just open attachments. And use good passwords on your shares. |
It is insidious, the e-mails look really genuine If you had an e-mail from your best mate with a .zip attached you would have to be pretty on the ball not to open it. It got past norton on one sytem so what do you think?
|
|
Back to top |
|
|
97cr250 Just Arrived
Joined: 16 Apr 2003 Posts: 3 Location: S34TTL3
|
Posted: Fri Jul 04, 2003 3:50 am Post subject: |
|
|
this is definately one persistant little virus... I had 3 clients at work get emailed this little bug and my home email address got it as well (which is completely seperate from my work email.) Of course all of our virus definitions were more than a couple of weeks old so it got right through (although nobody ran it).
97cr250
|
|
Back to top |
|
|
|