W32/Sobig-A

Category: Viruses and SpywareProtection available since:10 Jan 2003 00:00:00 (GMT)
Type: Win32 wormLast Updated:10 Jan 2003 00:00:00 (GMT)
Prevalence: Several Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Sobig-A is a worm that uses a built-in SMTP client and local Windows network shares to spread.

W32/Sobig-A arrives in an email with the following characteristics:

From: big@boss.com

Subject line -chosen from:
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample

Attached file - chosen from:
Document003.pif
Sample.pif
Untitled1.pif
Movie_0074.mpeg.pif

The worm searches the local hard drive for files with the extensions TXT, HTML, EML, HTM, WAB and DBX. The files are used to extract a list of recipient email addresses that will be used by the worm to send infected emails.

When the attachment is run, W32/Sobig-A copies itself into the Windows folder as Winmgm32.exe and creates a new process by running the file.

W32/Sobig-A creates the following registry values to run itself on Windows startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM

The worm connects to a website and attempts to download the file reteral.txt which contains a URL to another file. W32/Sobig-A then attempts to download and run the referenced file.

The worm also attempts to copy itself onto Windows shares of the local network if the folders Windows\All Users\Start Menu\Programs\StartUp or
Documents and Settings\All Users\Start Menu\Programs\Startup exist in a shared folder.