Re: [Histonet] New virus - appears to be "sobig"

From:Jackie.O'Connor@abbott.com

I've received 100 of these from histonet with the subject line just as you describe!  Thanks for the information.

Jacqueline M. O'Connor HT(ASCP)
Abbott Laboratories
Global Pharmaceutical Research and Development
Discovery Chemotheraputics
847.938.4919
Fax 847.938.3266


"Marshall Terry Dr, Consultant Histopathologist" <Terry.Marshall@rothgen.nhs.uk>
Sent by: histonet-admin@lists.utsouthwestern.edu

08/20/2003 09:58 AM

       
        To:        "Adams, Sharon K." <SADAMS@HCMHCARES.ORG>, "HistoNet Server" <histonet@pathology.swmed.edu>
        cc:        
        Subject:        [Histonet] New virus - appears to be "sobig"



Virus Profile

Virus Information
Name: W32/Sobig.f@MM
Risk Assessment  
 - Home Users: High
 - Corporate Users: Medium
Date Discovered: 8/18/2003
Date Added: 8/18/2003
Origin: Unknown
Length: approx 72,568 Bytes
Type: Virus
SubType: Internet Worm
DAT Required: 4287

 Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases


Buy or Update
New Users Get Protected Now:
Buy VirusScan Online

Update VirusScan Online



Virus Characteristics  

This detection is for a new variant of W32/Sobig. In common with previous variants, the worm is written in MSVC, and bears the following characteristics:

propagates via email, constructing outgoing messages with its own SMTP engine
propagates over network shares (not confirmed in testing yet)
Note: The worm carries garbage data appended to end of file, so exact filesize and file checksum may vary.

Installation

The worm copies itself onto the victim machine as WINPPR32.EXE into %Windir%, for example:

C:\WINNT\WINPPR32.EXE
A configuration file is also dropped to %Windir%:

C:\WINNT\WINSTT32.DAT
The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc
Mail Propagation

The worm mails itself to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files with the following extensions:

DBX
HLP
MHT
WAB
EML
TXT
HTM
HTML
Outgoing messages are constructed as follows:

Subject:

Your details
Thank you!
Re: Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Attachment:

your_document.pif
document_all.pif
thank_you.pif <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< the one we got(Terry)
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
Body:

See the attached file for details
Please see the attached file for details
The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.

Contacting Remote NTP Servers

The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination port 123).

Self-Termination

In common with previous W32/Sobig variants, this variant contains a date triggered self-termination routine. If the date is September 10th 2003 or later, the worm will no longer propagate.



Indications of Infection  

Existence of the WINPPR32.EXE file in %WinDir%
Existence of the Registry hooks detailed above
Unexpected NTP traffic to remote servers



Method of Infection  

This worm propagates via email (contains its own SMTP engine) and over network shares.



Removal Instructions  

DAT Files
Detection is included in the 4287 DAT files. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used. Alternatively, the following EXTRA.DAT packages are available (HOW TO use an EXTRA.DAT)..

EXTRA.DAT - should be extracted to the same directory where CLEAN.DAT, NAMES.DAT, and SCAN.DAT are (typically C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx)
or

SUPER EXTRA.DAT - EXTRA.DAT self installer
Stand Alone Remover
Stinger has been updated to include detection/removal of this threat.
Manual Removal Instructions
To remove this virus "by hand", follow these steps:

- Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- WinNT/2K/XP - Terminate the process WINPPR32.EXE
Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
WINPPR32.EXE
WINSTT32.DAT
Edit the registry
Delete the "TrayX" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Additional Windows ME/XP removal considerations



Aliases  

W32.Sobig.F@mm (NAV), WORM_SOBIG.F (Trend)


Dr Terry L Marshall, B.A.(Law), M.B.,Ch.B.,F.R.C.Path
Consultant Pathologist
Rotherham General Hospital
South Yorkshire
England
       terry.marshall@rothgen.nhs.uk

_______________________________________________
Histonet mailing list
Histonet@lists.utsouthwestern.edu
http://lists.utsouthwestern.edu/mailman/listinfo/histonet

<< Previous Message | Next Message >>