Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:
Type:Worm 
Size:59 kbytes 
Origin:unknown 
Date:06-01-2003 
Damage:Email and network spreading 
VDF Version:6.19.00.xx 
Danger:Low 
Distribution:Medium 

SymptomsThe file mscvb32.exe appears in the Windows folder.

Distribution- Email sending
- Networks

Technical DetailsWorm/Sobig.C is ca. 59 kbytes, packed with UPX. When started, it copies itself in Windows directory as mscvb32.exe and makes the files msddr.dll and msddr.dat. In msddr.dat file it gathers the email addresses it found in the local files of type .HTML, .HTM, .TXT, .EML and .WAB. These email addresses are saved encoded.

It makes the following registry entries:
* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"System MScvb"="%Windir%\mscvb32.exe"

* [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"System MScvb"="%Windir%\mscvb32.exe"

If the worm can find the following paths in the local network, it copies itself there:
* \Documents and Settings\All Users\Start Menu\Programs\Startup
* \Windows\All Users\Start Menu\Programs\StartUp

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* mscvb32.exe
* msddr.dll
* msddr.dat

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"System MScvb"="%Windir%\mscvb32.exe"

* [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"System MScvb"="%Windir%\mscvb32.exe"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* mscvb32.exe
* msddr.dll
* msddr.dat

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"System MScvb"="%Windir%\mscvb32.exe"

* [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"System MScvb"="%Windir%\mscvb32.exe"

Restart your computer.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .