A new variant of the Sobig worm (Sobig.C) is spreading in the wild. It arrives in PIF and SCR attachments in emails coming from several faked addresses, such as "bill@microsoft.com". This variant also spreads through network shares.
UPDATE (2003-06-01 10:30 GMT)
The Sobig.C worm was found in the wild late in the evening on 31st of May, 2003. On June 1st 2003 the worm increased its spreading in several countries. Detection of the worm has been published. For more information see at the bottom of this page.
F-Secure is currently analyzing the worm. More information will be available later.
UPDATE (2003-05-31 22:00 GMT)
The Sobig.C worm was found in the wild but hasn't spread far.
Infection
The worm copies itself to the Windows folder as
mscvb32.exe
and adds the following registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
System MScvb = %WindowsDir%\mscvb32.exe
so that it's launched every time Windows starts.
Mass mailing
Message subjects are chosen from:
Re: Screensaver
Re: Movie
Re: Submited (004756-3463)
Re: 45443-343556
Re: Approved
Approved
Re: Your application
Re: Application
Attachment names are chosen from:
screensaver.scr
movie.pif
submited.pif
45443.pif
documents.pif
approved.pif
application.pif
document.pif
The body of the messages is always fixed:
Please see the attached file.
Gathers e-mail addresses from files with extensions:
'.wab'
'.dbx'
'.htm'
'.html'
'.eml'
'.txt'
Local Area Network propagation.
If the computer date is 8th of June of 2003 or later it also tries to infect computers with open shares, copying itself to the following locations:
Windows\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
These are the default startup folders for Windows 9x and NT/XP based systems. If the worm is copied there Windows will run it next time the user logs in. This way the system gets infected.
Backdoor downloader
The worm also attempts to download components from several URLs hard-coded inside the worm's body. At the time of this writing the URLs have been taken down.
UPDATE (2003-06-01 10:30 GMT)
The Sobig.C worm was found in the wild late in the evening on 31st of May, 2003. On June 1st 2003 the worm increased its spreading in several countries. Detection of the worm has been published. For more information see at the bottom of this page.
F-Secure is currently analyzing the worm. More information will be available later.
UPDATE (2003-05-31 22:00 GMT)
The Sobig.C worm was found in the wild but hasn't spread far.
Infection
The worm copies itself to the Windows folder as
mscvb32.exe
and adds the following registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
System MScvb = %WindowsDir%\mscvb32.exe
so that it's launched every time Windows starts.
Mass mailing
Message subjects are chosen from:
Re: Screensaver
Re: Movie
Re: Submited (004756-3463)
Re: 45443-343556
Re: Approved
Approved
Re: Your application
Re: Application
Attachment names are chosen from:
screensaver.scr
movie.pif
submited.pif
45443.pif
documents.pif
approved.pif
application.pif
document.pif
The body of the messages is always fixed:
Please see the attached file.
Gathers e-mail addresses from files with extensions:
'.wab'
'.dbx'
'.htm'
'.html'
'.eml'
'.txt'
Local Area Network propagation.
If the computer date is 8th of June of 2003 or later it also tries to infect computers with open shares, copying itself to the following locations:
Windows\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
These are the default startup folders for Windows 9x and NT/XP based systems. If the worm is copied there Windows will run it next time the user logs in. This way the system gets infected.
Backdoor downloader
The worm also attempts to download components from several URLs hard-coded inside the worm's body. At the time of this writing the URLs have been taken down.
