Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Sobig.E@mm, Win32.HLLW.Reteras
Type:Worm 
Size:86,528 bytes 
Origin:unknown 
Date:06-25-2003 
Damage:Email and network spreading 
VDF Version:6.20.00.18 
Danger:Low 
Distribution:Medium 

General DescriptionThis new version of Worm/Sobig was discovered on 25th of June and is ?in the wild?. In the first 12 hours it was sent in over 15000 files. The worm spreads by emails. In the body of the message appears 'Please see the attached zip file for details.' and the attachment generally contains a zip file 'your_details.zip' with the virus code.

SymptomsThe file WINSSK32.EXE in the Windows directory.

Distribution- Email sending
- Networks

Technical DetailsWorm/Sobig.E is about 86,528 kbytes, packed with ASPACK and TELock. The characters forming the virus file are encoded using a complex algorithm.

When started, it copies itself in Windows directory as WINSSK32.EXE and makes the following registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\Run]
"SSK Service" = "%WinDIR%\winssk32.exe

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version\Run]
"SSK Service" = "%WinDIR%\winssk32.exe

%WinDIR% means the Windows directory that can have different names: Windows or WINNT.

The worm makes the MSRRF.DAT file in Windows. Worm/Sobig.E spreads itself by email. Thus it sends messages with different subjects, a certain body text and various attachments.

The subject can look like this:

Re: Application or
Re: Movie or
Re: Submitted or
Screensaver.scr

The body has a certain text:

Please see the attached zip file for details.

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* C:\Windows\WINSSK32.EXE
* C:\Windows\MSRRF.DAT

Start "regedit" after that and delete the following registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\Run]
"SSK Service" = "%WinDIR%\winssk32.exe

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version\Run]
"SSK Service" = "%WinDIR%\winssk32.exe

Restart your computer.

- for Windows 9x/Me:

In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* C:\Windows\WINSSK32.EXE
* C:\Windows\MSRRF.DAT

Start "regedit" after that and delete the following registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\Run]
"SSK Service" = "%WinDIR%\winssk32.exe

Restart your computer.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .