Alias:Win32/Palyh.A@mm, W32.HLLW.Mankx@mm
Type:Worm 
Size:49,000 bytes- 54,000 bytes 
Origin:Holland 
Date:05-19-2003 
Damage:Sends itself by email, registry entries 
VDF Version:6.19.00.18 
Danger:Low 
Distribution:Medium 

General DescriptionWorm/Sobig.B has a file size between 49,000 and 54,000 bytes and is UPX packed. It is an Internet worm, which sends itself by email and spreads over shared Windows networks. It copies itself in Windows as "msccn.exe" and makes auto run entries in the registry. In a file named "hnks.ini" the worm gathers email addresses it found in local files of type .TXT, .EML, .HTM*, .DBX and in Windows Address Book (WAB).

SymptomsThe file msccn.exe appears in the Windows folder.

DistributionSobig.B is an Internet worm, which sends itself by email and spreads over shared Windows networks.

Technical DetailsWhen started, it copies itself in Windows directory as "msccn.exe" and makes the following registry entries:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run]
"System Tray"="%Windows%\msccn32.exe"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"System Tray"="%Windows%\msccn32.exe"

The worm looks for files with extension .TXT, .EML, .HTM* .DBX and for the Windows Address Book (WAB). Here it can find email addresses and sends itself to them using the default SMTP engine.

An email sent by this worm would look like this:

* From:
support@microsoft.com

* Subject:
Approved (Ref: 38446-263)
Cool Screensaver
Your Password
Your Details
Re: My details
Re: My Application
Re: Movie
Re: Approved (Ref: 3394-65497)

* Body:
All information is in the attached file.

* Attachment:
approved.pif
application.pif
doc_details.pif
ref-394755.pif
password.pif
screen_temp.pif
screen_docs.pif
movie28.pif
your_details.pif

The worm gathers all the addresses it found in one file: "hnks.ini". Worm/Sobig.B looks for shared networks. When it finds a computer on which it has writing rights, it searches for the following paths and copies itself there:
* \Windows\All Users\Start Menu\Programs\StartUp\
* \Documents and Settings\All Users\Start Menu\Programs\Startup\

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following file:

* msccn32.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run]
"System Tray"="%Windows%\msccn32.exe"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"System Tray"="%Windows%\msccn32.exe"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following file:

* msccn32.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run]
"System Tray"="%Windows%\msccn32.exe"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"System Tray"="%Windows%\msccn32.exe"

Restart your computer.
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .