Home / malwarePDF  

Win32.Sobig.F@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Sobig.F@mm is also known as W32/Sobig.F@mm.

Explanation :

It arrives in e-mail in the following format:

Subject: Randomly chosen from the following list:

Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!
Re: Thank you!

Body:

Please see the attached file for details.

or

See the attached file for details

Attachment: Randomly chosen from the following list:

movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif

After the user opens the attachment the worm copies in the following location:

%WINDIR%winppr32.exe

and adds the following registry keys:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunTrayX]

with value

%WINDIR%winppr32.exe /sinc

[HKCUSoftwareMicrosoftWindowsCurrentVersionRunTrayX]

with value

%WINDIR%winppr32.exe /sinc
It searches for e-mails in the following file types:

html
wab
mht
hlp
txt
eml
htm
dbx

The worm includes a thread that every one hour reads the time by connecting three times to public NTP (Network Time Protocol) servers from a hardcoded list; if the day of the week is Friday or Sunday and the hour is between 19:00 and 22:59, the worm tries to connect to several hardcoded hosts on UDP port 8998 in order to receive the location of a file to download and execute. The IP's of these hosts are:
68.50.208.96, 12.232.104.221, 218.147.164.29, 24.33.66.38, 12.158.102.205, 24.197.143.132, 24.206.75.137, 24.202.91.43, 24.210.182.156, 61.38.187.59, 65.92.80.218, 63.250.82.87, 65.92.186.145, 65.95.193.138, 65.93.81.59, 65.177.240.194, 66.131.207.81, 67.9.241.67, 68.38.159.161, 67.73.21.6 .

Then it waits for the answer, it connects to the decoded answer and downloads a file – using the instruction UrlDownloadToCacheFileA. The virus executes the downloaded file directly using a CreateProcess instruction.

The worm also spreads trough network shares.

It stops spreading after 10.09.2003.

Last update 21 November 2011

 

TOP

Malware :