• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

W32/Sobig.E-mm

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
Rottz
Just Arrived
Just Arrived


Joined: 29 Mar 2003
Posts: 3
Location: East Coast, USA

Offline

PostPosted: Wed Jun 25, 2003 9:56 pm    Post subject: W32/Sobig.E-mm Reply with quote

From MessageLabs at Wed, 25 Jun 2003 15:35:13 GMT

On 25th June 2003, MessageLabs the email security company intercepted several copies of a mass-mailing virus which appeared to be a variant of W32/Sobig.C-mm, and was later identified as W32/Sobig.E-mm. The initial copies all originated from the United States.

Name: W32/Sobig.E-mm
Number of copies intercepted so far: 99627
Time & Date first Captured: 25th June 2003 07:43GMT
Origin of first intercepted copy: United States
Countries stopped in: 131
Peak infection ratio: 1 / 325

Stats as of Fri Jun 27 21:55:28 EDT 2003

More Info: W32/Sobig.E-mm
--------------------------------------------------------------------------------------
Details from Sophos.com at Wed, 25 Jun 2003 17:40:21 +0100 (BST)

This worm arrives via email and attempts to travel via network shares. The worm sends itself as an attachment to email addresses collected from infected computers.

A typical email has the following format:

Subject line: Chosen from -
  • Re: Application
  • Re: Movie
  • Re: Movies
  • Re: Submited (Ref: 003746)
  • Re: Screensaver
  • Re: Documents
  • Re: Re: Application ref. 003644
  • Re: Re: Document
  • Your application
  • Application.pif
  • Applications.pif
  • movie.pif
  • screensaver.scr
  • submited.pif
  • new_document.pif
  • re.document.pif
  • 004448554.pif
  • referer.pif
Message text:
Please see the attached zip file for details

Attached file: One of -
  • your_details.zip (containing details.pif)
  • application.zip (containing application.pif)
  • document.zip (containing document.pif)
  • screensaver.zip (containing sky_world.scr)
  • Movie.zip (containing Movie.pif)
W32/Sobig-E may spoof the From field of the sent emails using the email address support@yahoo.com or addresses collected from the user's computer.

When run W32/Sobig-E copies itself into the Windows folder as winssk32.exe and sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSK Service
= <Windows folder>\winssk32.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSK Service
= <Windows folder>\winssk32.exe

W32/Sobig-E will not spread if the date is 14th July or later.

More Info: W32/Sobig-E
-------------------------------------------------------------------------------------
From [url]Avertlabs.com[/url] at Wed, 25 Jun 2003 13:35:40 -0500

Advisory
This is a Medium Virus Advisory for W32/Sobig.e@MM worm.

Justification
W32/Sobig.e@MM has been deemed Medium due to prevalence.

Read About It
Information about W32/Sobig.e@MM is located on VIL at:
http://vil.nai.com/vil/content/v_100429.htm

If you suspect you have W32/Sobig.e@MM, please submit a sample to http://www.webimmune.net
-------------------------------------------------------------------------------------
Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    - WinNT/2K/XP - [url=vil.nai.com/vil/systemhelpdocs/endtask.htm]Terminate the process[/url] winssk32.exe
  2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
    • winssk32.exe
    • msrrf.dat

  3. Delete unusual executables from the following folders:
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    • C:\Windows\All Users\Start Menu\Programs\Startup\

  4. [url=vil.nai.com/vil/SystemHelpDocs/Regedit.htm]Edit the registry[/url]
    • Delete the "SFtrb Service" value from

    1. "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Run"
    2. "HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run"

  5. Reboot the system
[url=vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm]Additional Windows ME/XP removal considerations[/url]
-------------------------------------------------------------------------------------
From Kaspersky Lab
Some interesting info the other vendors didn't mention.

Sobig.e is a worm virus spreading via the Internet as a file attached to infected emails. The Sobig.e worm also spreads through open network shares.

The worm itself is a Windows PE EXE file that is written in Microsoft Visual C++ and is compressed by the TeLock utility. Its file sizes are typically around 80K and above when compressed(TeLock), while its decompressed size is about 130K.

Separating Sobig.e from its four predecessors is its use of the Zip file format, what it does after system infection is virtual identical to past Sobig variants.

Spreading: via network
The worm takes note of all accessible network resources (other computers in a network) and copies itself to the auto-start directoris (if there are such subdirectories) of each resource (computer) found.

Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\

Updating
The worm opens network connections on ports 995, 996, 997, 998, and 999, and then takes commands from its "master", and receives data from its "master". The data comes in the form of some URLs. The worm downloads files from these URLs and executes them. As a result the worm is able to "upgrade" itself with new versions, and/or to install other applications (trojan programs for example).

More Info: I-Worm.Sobig.e
--------------------------------------------------------------------------------------
Other Virus Vendors:
Virus in the News:


Last edited by Rottz on Wed Aug 13, 2003 8:22 pm; edited 6 times in total
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Rottz
Just Arrived
Just Arrived


Joined: 29 Mar 2003
Posts: 3
Location: East Coast, USA

Offline

PostPosted: Thu Jun 26, 2003 5:12 am    Post subject: W32.Sobig.E@mm Removal Tool Reply with quote

W32.Sobig.E@mm Removal Tool

Symantec Security Response has developed a removal tool to clean the [url=securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e%40mm.html]W32.Sobig.E@mm[/url] infections.

What the tool does

The W32.Sobig.E@mm Removal Tool does the following:
  1. Terminates the W32.Sobig.E@mm viral processes.
  2. Deletes the W32.Sobig.E@mm files.
  3. Deletes the dropped files.
  4. Deletes the registry values that the worm added.

Obtaining and running the tool

NOTE: You need administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.
  1. Download the FixSbige.exe file from:
    http://securityresponse.symantec.com/avcenter/FixSbigE.exe
  2. Save the file to a convenient location, such as your downloads folder or the Windows Desktop (or removable media that is known to be uninfected, if possible).
  3. To check the authenticity of the digital signature, refer to the section, "Digital signature."
  4. Close all the running programs before running the tool.
  5. If you are on a network or you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
  6. If you are running Windows Me or XP, then disable System Restore. Refer to the section, "System Restore option in Windows Me/XP," for additional details.

    CAUTION: If you are running Windows Me/XP, we strongly recommend that you do not skip this step. The removal procedure may be unsuccessful if Windows Me/XP System Restore is not disabled, because Windows prevents outside programs from modifying System Restore.

  7. Double-click the FixSbige.exe file to start the removal tool.
  8. Click Start to begin the process, and then allow the tool to run.

    NOTE: If, when running the tool, you see a message that the tool was not able to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and wait 30 seconds. Restart the computer in Safe mode and run the tool again. All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions, read the document "[url=service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406]How to start the computer in Safe Mode[/url]."

  9. Restart the computer.
  10. Run the removal tool again to ensure that the system is clean.
  11. If you are running Windows Me/XP, then re-enable System Restore.
  12. Run LiveUpdate to make sure that you are using the most current virus definitions.
When the tool has finished running, you will see a message indicating whether W32.Sobig.E@mm infected the computer. In the case of a worm removal, the program displays the following results:
  • Total number of the scanned files
  • Number of deleted files
  • Number of terminated viral processes
  • Number of fixed registry entries
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
  • [url=service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239]How to disable or enable Windows Me System Restore[/url].
  • [url=service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039]How to turn off or turn on Windows XP System Restore[/url].
For additional information and an alternative to disabling Windows Me System Restore, read the Microsoft Knowledge Base article, "[url=support.microsoft.com/default.aspx?scid=kb;EN-US;q263455]Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Q263455)[/url]."

source: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e%40mm.removal.tool.html
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
effortless
Just Arrived
Just Arrived


Joined: 13 Feb 2003
Posts: 8
Location: grounded

Offline

PostPosted: Sun Jun 29, 2003 6:56 pm    Post subject: Reply with quote

I had 3 instances of sobig the other day from different sources. I also had one on operamail which is totally unconnected with any of my other identities. It must be getting pushed out big time so look out . Ninja!
Back to top
View user's profile Send private message Send e-mail
QueenB
Just Arrived
Just Arrived


Joined: 27 Jun 2003
Posts: 0
Location: CT

Offline

PostPosted: Mon Jun 30, 2003 2:34 pm    Post subject: Reply with quote

should i send out an email to the company stating the facts above ( the name of emails......) the last one like this we got hit with and it too 4 hours to get it out ( took the network down) it was a pain.
Back to top
View user's profile Send private message MSN Messenger
Giro
New Member
New Member


Joined: 25 Mar 2004
Posts: 22
Location: England

Offline

PostPosted: Mon Jun 30, 2003 2:46 pm    Post subject: Reply with quote

Wouldnt you be safe if you have a up2date anti-virus/Dont just open attachments. And use good passwords on your shares.
Back to top
View user's profile Send private message
effortless
Just Arrived
Just Arrived


Joined: 13 Feb 2003
Posts: 8
Location: grounded

Offline

PostPosted: Fri Jul 04, 2003 12:51 am    Post subject: Reply with quote

Ol Man wrote:
Wouldnt you be safe if you have a up2date anti-virus/Dont just open attachments. And use good passwords on your shares.


It is insidious, the e-mails look really genuine If you had an e-mail from your best mate with a .zip attached you would have to be pretty on the ball not to open it. It got past norton on one sytem so what do you think?
Back to top
View user's profile Send private message Send e-mail
97cr250
Just Arrived
Just Arrived


Joined: 16 Apr 2003
Posts: 3
Location: S34TTL3

Offline

PostPosted: Fri Jul 04, 2003 3:50 am    Post subject: Reply with quote

this is definately one persistant little virus... I had 3 clients at work get emailed this little bug and my home email address got it as well (which is completely seperate from my work email.) Of course all of our virus definitions were more than a couple of weeks old so it got right through (although nobody ran it).
97cr250
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register