Home / malwarePDF  

Win32.SoBig.E@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.SoBig.E@mm is also known as W32/Sobig.e@MM, (McAfee.

Explanation :

Similar to Win32.Sobig.D@mm, this mass mailer spreads through e-mail and network shares. It will de-activate itself on July 14 2003.

The infected e-mails look like this:

From: support@yahoo.com (usually, but it can be any e-mail address)

Subject is chosen from the following:

004448554.pif
Application.pif
Applications.pif
movie.pif
new document.pif
Referer.pif
Screensaver.scr
submited.pif
Your application
Re: Application
Re: document.pif
Re: Documents
Re: Movie
Re: Movies
Re: ScRe:ensaver
Re: Submitted
Re: Re: Application ref 003644
Re: Re: Document

Body: Please see the attached zip file for details.

Attachment can be:

application.zip (containingapplication.pif)
document.zip(containingdocument.pif)
Movie.zip (containingMovie.pif)
screensaver.zip (containingsky_world.scr)
Your_details.zip(containingdetails.pif)

Once executed, the virus will create a copy of itself as winssk32.exe and also a configuration file, msrrf.dat both in Windows folder. Then it creates the aforementioned registry keys in order to run every time at Windows startup.

Then, it searches for files matching .wab, .dbx, .htm, .html, .eml, .txt and harvests e-mail addresses. It features it's own SMTP engine thus it sends zipped copies of itself to the harvested e-mail addresses.

It also spreads through network shares and attempts to place copies of itself in:

C:WindowsAll UsersStart MenuProgramsStartup
C:Documents and SettingsAll UsersStart MenuProgramsStartup

Due to a bug in the virus, the last letter in the attachment's name may be missing (example: Your_details.zi)

Last update 21 November 2011

 

TOP