high
Summary
Summary
Action- More Information
| Included in our products from | July 2003 (3.71) |
|---|---|
| Protection available since | 28 September 2003 09:46:50 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Read instructions on how to remove the W32/Sobig-C worm.
More Information
W32/Sobig-C is an internet worm which spreads by copying itself to the startup folder of network shares and by emailing itself to addresses found within locally stored files that have an extension of TXT, EML, HTML, HTM or DBX.
The emails sent have the following characteristics.
Subject line: chosen from -
Re: Movie
Re: Submitted (004756-3463)
Re: 45443-343556
Re: Approved
Re: Your application
Re: Application
Message text:
Please see the attached file
Attached file: one of -
45443.pif
application.pif
approved.pif
document.pif
documents.pif
movie.pif
screensaver.scr
submitted.pif
The worm spoofs the From: field using email addresses found within files on the hard drive or "bill@microsoft.com".
W32/Sobig-C will not spread if the date is June 8th 2003 or later.
When run, the worm copies itself to the Windows folder as mscvb32.exe and creates the following registry entries so that mscvb32.exe is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System MScvb
= %WINDOWS%\mscvb32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System MScvb
= %WINDOWS%\mscvb32.exe
W32/Sobig-C enumerates network shares and copies itself to the following startup folders if they are shared with write access:
Windows\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
The worm also creates the file msddr.dat in the Windows folder.
|
