Alias:W32/Sobig.f@MM, WORM_SOBIG.F, W32.Sobig.F@mm
Type:Worm 
Size:~ 70 - 75 Kbytes 
Origin:unknown 
Date:08-19-2003 
Damage:sends itself by email 
VDF Version:6.21.00.20 
Danger:Low 
Distribution:High 

General DescriptionFirst analysis shows that Worm/Sobig.F is an aggressive worm with update function. The worm spreads on Windows 9x, Me, 2000 and XP. Like its precedents, Worm/Sobig.F sends itself using its SMTP engine by email.

Symptoms* The file %windir%\winppr32.exe
* Unexpected intensive NTP traffic

Distribution* Sends itself by email

Technical DetailsWorm/Sobig.F is about 70-75 kbytes, packed with Telock and written in Visual C. It tries to escape identification by long variation. When started, it copies itself in Windows directory under the filename
* winppr32.exe
and makes the following file:
* winstt32.dat

This file is either 0 byte or it contains configuration files.

The worm makes the following registry entry:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run]
"TrayX"="C:\\WINDOWS\\winppr32.exe /sinc"

* [HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run]
"TrayX"="C:\\WINDOWS\\winppr32.exe /sinc"

From then on, the worm files can be loaded on Internet and for example self update or run new files. By this function it can also mail important and security data (passwords) from an infected computer on Internet. The infected computer can be used as a spam relay too. For the data transfer, the worm uses NTP protocol.

Worm/Sobig.F opens ports 995 to 999 on the local system and waits for instructions, for example downloads and opening Trojans.

The worm can be recognized by one of the following headings:
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Thank you!
Re: Thank you! g headings:

The message contains one of the rows:
Please see the attached file for details.
See the attached file for details

The name of the attachment is:
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif

The email addresses are found in files on infected computer, with the following extensions:
dbx
mht
htm
html
wab
hlp
txt
eml
Descrição enviada por Crony Walker em terça-feira, 15 de junho de 2004

Voltar . . . .