Home / malware Win32.Sobig.C@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Sobig.C@mm is also known as W32/Sobig.C@mm, Win32/Sobig.C@mm.
Explanation :
Win32.Sobig.C@mm is an Internet worm that spreads trough e-mail and local shares.
It arrives in the following format:
From: bill@microsoft.com
Subject: randomly chosen from the following strings.
Re: Movie
Re: Submited (004756-3463)
Re: 45443-343556
Re: Approved
Approved
Re: Your application
Re: Application
Body:
Please see the attached file
Attachment: randomly chosen from the following strings
screensaver.scr
movie.pif
submited.pif
45443.pif
documents.pif
approved.pif
application.pif
document.pif
When the user open the attachment of an infected e-mail the worm copies itself in the %WIDOWS% directory under the following name:%WINDIR %mscvb32.exe
It creates the file %WINDIR%msddr.dat
In the registry key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
it adds the value: "System MScvb" = "C:WinNTmcvb32.exe".
It scans the hard drive for the following file types:
.wab
.dbx
.htm
.html
.eml
.txt
and it searches for the e-mail addresses inside those files. After this it sends itself to every e-mail found in the same format it arrives.
The worm searches trough network shares and it copies itself under the following folders:
WindowsAll UsersStart MenuProgramsStartUp
Documents and SettingsAll UsersStart MenuProgramsStartup
More information will be posted after further analysis.Last update 21 November 2011
