|
The worm Sobig.c takes off for its one-week run By Robert Vamosi This variation of an existing worm will self-expire on June 8, 2003 (6/2/03)  Sobig.c is loose on the internet and has spread to over 80 countries since its release on May 31, 2003. Sobig.c (w32.sobig.c@mm) is a variant of the Sobig worm and arrives by e-mail with an attached file; it also spreads using shared network files. Once executed, Sobig.c will attempt to send copies of itself via its own SMTP engine. It will also attempt to download Trojan-horse files from a Web site that has since been shut down. Sobig.c is self-terminating and will only spread until June 8, 2003. Because Sobig.c spreads via e-mail and network share but doesn't damage system files, this worm rates a 4 on the CNET Virus Meter.
How it works Sobig.c arrives via e-mail or shared network file. The e-mail appears to be from someone you might know, but this address is spoofed. The e-mail's subject line may include one of the following: Approved Re: 45443-343556 Re: Application Re: Approved Re: Movie Re: Screensaver Re: Submited (004756-3463) Re: Your application The e-mail's attachment may have one of the following filenames: 45443.pif application.pif approved.pif document.pif documents.pif movie.pif screensaver.scr submited.pif In some cases, the extension might read .pi, not .pif. This worm does not automatically execute--you must open the attached file to become infected with Sobig.c. Upon execution, the worm adds the following files to the default Windows directory: "mscvb32.exe" (approximately 50K; a copy of itself) "msddr.dat" (configuration file) Upon execution, the worm attempts to make the following changes to the system Registry so that the worm will load each time you start up your computer: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "System MScvb" = [Windows directory]\mscvb32.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System MScvb" = [Windows directory]\mscvb32.exe Sobig.C also spreads via shared network files. It attempts to copy itself to the following directories on remote systems: \Documents and Settings\All Users\Start Menu\Programs\Startup\ \Windows\All Users\Start Menu\Programs\Startup\ Prevention In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Sobig.c. Sobig.c is set to expire on its own on June 8, 2003. Removal Several antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, Messagelabs, Norman, Panda, Sophos, Symantec, and Trend Micro. |
On MovieTome:
See classic clips from INDIANA JONES!
   Quick facts
| |||||||||||||
