security alert : sobig.A

info provided by f-secure :

The Sobig worm was found in the wild on January 9th. The worm spreads via email and network shared drives. It also tries to download other files from web pages located on a geocities site.

Mass-mailing

Email addresses are collected from files with various extensions:


'.WAB'
'.DBX'
'.HML'
'.HTML'
'.EML'
'.TXT'

The sender address is fixed, it is always '[email protected]'.

Subjects are randomly chosen from the following list:


'Re: Here is that sample'
'Re: Document'
'Re: Sample'
'Re: Movies'

The message body says:


'Attached file:'

The message contains an executable attachment. The attachment name can be one of the following:


'Sample.pif'
'Untitled1.pif'
'Document003.pif'
'Movie_0074.mpeg.pif'

Local Area Network propagation

Sobig lists all the network shares available to the infected computer and tries to copy itself to either of these directories:


'Windows\All Users\Start Menu\Programs\StartUp'


or


'Documents and Settings\All Users\Start Menu\Programs\Startup'

These are the default startup folders for Windows 9x and NT/XP based systems. If the worm is copied there Windows will run it next time the user logs in. This way the system gets infected.

System infection

When the worm is run on a system for the first time it copies itself to the Windows System Directory using the name 'winmgm32.exe'. After this a new value, pointing to this file is added to the registry as


'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsMGM'

This way the worm will be started every time Windows starts.

Backdoor downloader

Sobig contains a routine that downloads a text file from a website. The content of the file is used as a URL to download some program and run it on the infected machine.

At the time of writing this description this feature is inactive, the file points to a non-exisiting location.

Detection

Detection in F-Secure Anti-Virus was published on January 9th, 2003 in update:

[FSAV_Database_Version]

Version=2003-01-09_04