Home / malware Worm:W32/Sobig
First posted on 21 June 2010.
Source: SecurityHomeAliases :
There are no other names known for Worm:W32/Sobig.
Explanation :
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Additional DetailsThe Sobig worm was found in the wild on January 9th 2003. The worm spreads via email and network shared drives. It also tries to download other files from web pages located on a Geocities site.
Update 2003-04-23 09:00 GMT
It has been reported that the webpage that controls the trojan downloader component of the worm had been updated for a period of time. The page pointed to a location containing a trojan (detected by F-Secure Anti-Virus as Backdoor.Delf.da). At the time of this update, the control page is no longer available.
Infection
When the worm is run on a system for the first time it copies itself to the Windows System Directory using the name winmgm32.exe. After this a new value, pointing to this file is added to the registry as
€ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsMGM
This way the worm will be started every time Windows starts.
Activity
Sobig contains a routine that downloads a text file from a website. The content of the file is used as a URL to download some program and run it on the infected machine. At the time of writing this description this feature is inactive, as the file points to a non-exisiting location.
The worm might affect network printers. In such cases printers might start to print garbage.
Propagation (E-mail)
Email addresses are collected from files with various extensions:
€ .WAB € .DBX € .HML € .HTML € .EML € .TXT
The sender address is fixed, it is always big@boss.com.
Subjects are randomly chosen from the following list:
€ Re: Here is that sample € Re: Document € Re: Sample € Re: Movies
The message body says:
Â
€ Attached file:
The message contains an executable attachment. The attachment name can be one of the following:
€ Sample.pif € Untitled1.pif € Document003.pif € Movie_0074.mpeg.pif Â
The infected emails are sent using the worms own STMP engine that is independent from the users email settings.
Propagation (Local Area Network)
Sobig lists all the network shares available to the infected computer and tries to copy itself to either of these directories:
€ Windows\All Users\Start Menu\Programs\StartUp  or € Documents and Settings\All Users\Start Menu\Programs\Startup
These are the default startup folders for Windows 9x and NT/XP based systems. If the worm is copied there Windows will run it next time the user logs in. This way the system gets infected.
Variant:Sobig.ADescription:Update 2003-04-23 09:00 GMT It has been reported that the webpage that controls the trojan downloader component of the worm had been updated for a period of time. The page pointed to a location containing a trojan that is detected by F-Secure Anti-Virus as Backdoor.Delf.da. At the time of this update the control page is not available anymore. Details on the Sobig worm The Sobig worm was found in the wild on January 9th. The worm spreads via email and network shared drives. It also tries to download other files from web pages located on a geocities site. A variant of this worm was discovered on 18th of May which has become highly widespread. The description for the variant can be found from: http://www.f-secure.com/v-descs/palyh.htm Mass-mailing Email addresses are collected from files with various extensions: '.WAB' '.DBX' '.HML' '.HTML' '.EML' '.TXT' The sender address is fixed, it is always 'big@boss.com'. Subjects are randomly chosen from the following list: 'Re: Here is that sample' 'Re: Document' 'Re: Sample' 'Re: Movies' The message body says: 'Attached file:' The message contains an executable attachment. The attachment name can be one of the following: 'Sample.pif' 'Untitled1.pif' 'Document003.pif' 'Movie_0074.mpeg.pif' The infected emails are sent using the worm's own STMP engine that is independent from the user's email settings. Local Area Network propagation Sobig lists all the network shares available to the infected computer and tries to copy itself to either of these directories: 'Windows\All Users\Start Menu\Programs\StartUp' or 'Documents and Settings\All Users\Start Menu\Programs\Startup' These are the default startup folders for Windows 9x and NT/XP based systems. If the worm is copied there Windows will run it next time the user logs in. This way the system gets infected. System infection When the worm is run on a system for the first time it copies itself to the Windows System Directory using the name 'winmgm32.exe'. After this a new value, pointing to this file is added to the registry as 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsMGM' This way the worm will be started every time Windows starts. Backdoor downloader Sobig contains a routine that downloads a text file from a website. The content of the file is used as a URL to download some program and run it on the infected machine. At the time of writing this description this feature is inactive, the file points to a non-exisiting location. Affecting network printers The worm might affect network printers. In such cases printers might start to print garbage. Detection Detection in F-Secure Anti-Virus was published on January 9th, 2003 in update: [FSAV_Database_Version] Version=2003-01-09_04Last update 21 June 2010
