W32/Sobig-D is an internet worm which spreads by copying itself to the startup folder of network shares and by emailing itself to addresses found within locally stored files that have an extension of TXT, EML, HTML, HTM or DBX.
The emails sent have the following characteristics:
Subject line: chosen from -
Application Ref: 456003
Re: Accepted
Re: App. 00347545-002
Re: Application
Re: Documents
Re: Movies
Re: Screensaver
Re: Your Application (Ref: 003844)
Your Application
Message text:
See the attached file for details
Attached file: one of -
Accepted.pif
app003475.pif
Application844.pif
Applications.pif
Document.pif
movies.pif
ref 456.pif
Screensaver.pif
Screensaver.scr
W32/Sobig-D spoofs the From: field using email addresses extracted from locally stored files or "admin@support.com".
W32/Sobig-D will not spread if the date is July 2nd 2003 or later.
When run, the worm copies itself to the Windows folder as cftrb32.exe and creates the following registry entries so that cftrb32.exe is run automatically each time Windows is started:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SFtrb Service = %WINDOWS%\cftrb32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
SFtrb Service = %WINDOWS%\cftrb32.exe
The worm enumerates network drives and copies itself to the following startup folders if they are shared with write access:
Windows\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
W32/Sobig-D also creates the file rssp32.dat in the Windows folder.