high
Summary
Summary
Action- More Information
| Included in our products from | August 2003 (3.72) |
|---|---|
| Protection available since | 28 September 2003 09:47:01 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Read instructions on how to remove the W32/Sobig-E worm.
More Information
This worm arrives via email and attempts to travel via network shares. The worm sends itself as an attachment to email addresses collected from infected computers.
A typical email has the following format:
Subject line:
Re: Application
or
Re: Movie
Message text:
Please see the attached zip file for details
Attached file:
your_details.zip (containing details.pif)
W32/Sobig-E may spoof the From field of the sent emails using the email address support@yahoo.com or addresses collected from the user's computer.
When run W32/Sobig-E copies itself into the Windows folder as winssk32.exe and sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSK Service
= <Windows folder>\winssk32.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSK Service
= <Windows folder>\winssk32.exe
Like previous variants W32/Sobig-E attempts to spread in Windows shares by copying itself into the following folders on shares:
Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\
W32/Sobig-E will not spread if the date is 14th July or later.
|
