Sophos

W32/Sobig-B

Aliases
  • W32/Mankx
  • W32.HLLW.Mankx@mm
  • Sobig.B
  • W32/Palyh-A
Category
Type
What to do
Prevalence low high

Summary

 
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Read instructions on how to remove the W32/Sobig-B worm.

More Information

W32/Sobig-B is a worm which spreads by email and also attempts to copy itself to network shares.

The worm appears to arrive as a .PIF attachment from support@microsoft.com.

Emails containing W32/Sobig-B have the following characteristics, in which a fixed message body:

Message text: All information is in the attached file

is combined with one of the following subject lines and attached filenames:

Subject lines:
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Screensaver
Re: My details
Cool screensaver
Re: Movie
Re: My application

Attached filenames:
your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif

W32/Sobig-B copies itself into your Windows folder under the name msccn32.exe and then sets the registry values:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Tray
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System Tray

so that it runs every time you log on to your computer.

W32/Sobig-B searches for email addresses in numerous locations on your hard disk, including WAB(Windows Address Book), DBX, HTM, HTML, EML and TXT files. The worm then sends itself to these addresses. You do not need to have Outlook or Outlook Express installed for W32/Sobig-B to work - it is programmed with its own mail-sending code.

W32/Sobig-B also enumerates network shares and attempts to copy itself to the following folders on the share:

Document and Settings\All Users\Start Menu\Programs\Startup
and
Windows\All Users\Start Menu\Programs\Startup

so that the worm runs when the remote system is restarted.

Sophos recommends that users of its MailMonitor for SMTP product block all executable attachments at their mail server via its threat reduction technology. The risks associated with email-borne executables are huge, yet there is little or no business case for allowing program files to be sent and received by email.

Note: Microsoft does not distribute executable files by email, so the emails generated by this worm are obviously bogus.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer