|
Sobig Worms
A family of worms known as “Sobig” (but sometimes
also known as “W32.Sobig,” “WORM_SOBIG,”
“BigBoss,” and other names) has been infecting
Windows systems connected to the Internet. Each of the variants
of Sobig is similar to the others in that it uses e-mail and
unprotected shares to infect other systems. Each also works
somewhat differently, however.
Sobig.A
Sobig.A, the earliest known version of Sobig, uses e-mail
and unprotected shares to infect systems that it finds. This
worm sends itself to all the addresses it finds in .htm, .html,
.txt, .eml, .wab, and .dbx files in systems it infects. When
the infected email message in which this version of the worm
arrives, it indicates that the sender is big@boss.com and
that the subject is "Re: Document," "Re: Sample,"
"Re: Here is that sample," or "Re: Movies."
The attachment is usually called "Untitled1.pif,"
"Document003.pif," "Movie_0074.mpeg.pif,"
or "Sample.pif." It also attempts to copy itself
via unprotected network shares, targeting the \Windows\All
Users\Start Menu\Programs\StartUp and Documents and Settings\All
Users\Start Menu\Programs\Startup folders of remote systems.
When it infects a system, it creates a copy of Winmgm32.exe
in the installation folder (C:\windows, C:winnt, or C:\w2ksrv)
of the infected system, then launches a process that runs
the worm. It then creates a value in the Registry to allow
the worm to run again the next time the system starts. The
value is WindowsMGM %Windir%\Winmgm32.exe; the targeted key
is HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
Although Sobig.A generally causes little damage, a variant
of this worm plants a Trojan program named "Backdoor.Delf"
that allows attackers to gain remote access to any system
it has infected. Additionally, this version of Sobig sends
a message to an address at pagers.icq.com, most likely to
alert the author of this worm of the systems it has breached.
Top
Sobig.B
Sobig.B (but also known as the Palyh and the Mankx worm)
arrives in the form of an attachment in messages that appear
to be from Microsoft support. Sobig.B creates and then sends
messages to addresses it finds in files with extensions of
.dbx, .eml, .htm, .html, .txt, and .wab in systems it has
infected. The indicated address of the sender is support@microsoft.com.
Subject lines vary, but "Screensaver," "Cool
Movie," "Re: My application," "Approved
(Ref: 38446-263)," and "Your password" are
frequently used. The name of the attachment that contains
this worm has a .pif file extension, but the actual name varies.
"movie28.pif," "screen_temp.pif," "doc_details.pif,"
"ref-394755.pif," and "password.pif" are
common attachment names. If the recipient of an infected message
sent by Sobig.B opens the attachment, the recipient's system
becomes infected. Sobig.B copies itself into the installation
folder as msccn32.exe and then creates two files, hnks.ini
and msdbrr.ini, within the same folder. Sobig.B also creates
a Registry value, System Tray"="%Windir%\msccn32.exe,
in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Insertion of this value causes Sobig.B to be started whenever
the infected system boots. In Windows NT, 2003, and XP systems
it also adds this value to
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Sobig.B also attempts to copy itself to folders, Windows\All
Users\Start Menu\Programs\StartUp, and
Documents and Settings\All Users\Start Menu\Programs\Startup,
of other Windows systems that have unprotected shares and
tries to download data from four GeoCities Web pages. Luckily,
Sobig.B worm code contains instructions that deactivate this
worm on a designated date, June 7, 2003.
Top
Sobig.C
Sobig.C surfaced shortly after Sobig.B deactivated itself.
This version of Sobig also forges senders’ addresses,
sometimes even using Bill Gates’ address. Sobig.C sends
copies of itself to addresses it finds in files with .dbx,
.eml, .htm, .html, .txt and .wab extensions in infected systems.
This version of Sobig also creates a variety of attachment
names such as documents.pif, and screensaver.scr, movie.pif.
It copies itself into the installation folder of each infected
system as mscvb32.exe. It then creates the files msddr.dat
msddr.dll and adds the System MScvb"="%Windir%\mscvb32.exe
as a value for the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Like the Sobig.A and Sobig.B variants, Sobig.C attempts to
spread itself to two folders, Windows\All Users\Start Menu\Programs\StartUp
and
Documents and Settings\All Users\Start Menu\Programs\Startup,
in Windows systems with unprotected shares. It also tries
to download data from four GeoCities Web pages.
Top
Sobig.D
Sobig.D sends itself as an attachment to the e-mail addresses
in files with .dbx, .eml, .htm, .html, .txt and .wab extensions
and also tries to infect systems with unprotected shares.
Subject lines vary; examples include “RE: Accepted,”
“RE: Application. 00347545-002,”“RE: Documents,”
“RE: Movies,” “RE: Messages,” “RE:
Screensaver,” and others. Messages appear to be from
admin@support.com as well as a variety of additional addresses.
Names of attachments include “Accepted.pif,” “Application844.pif,”
“Applications,pif,” “Document.pif,”
“movies,pif,” “ref_456.pif,” “Screensave.scr,”
and others. Sobig.D copies itself into the installation folder
of the infected system as itself as Cftrb32.exe and then creates
dftrn32.dat and rssp32.dat within the same folder. It also
inserts the value, SFtrb Service"="%Windir%\cftrb32.exe,
into the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key in the Registry of each infected system and also the same
value to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
in Windows NT, 2000 and XP systems. Additionally, Sobig.D
tries to copy itself to the Windows\All Users\Start Menu\Programs\StartUp
and
Documents and Settings\All Users\Start Menu\Programs\Startup
folders in remote systems with unprotected shares. Fortunately,
Sobig.D is programmed to become inactive on July 2, 2003.
Top
Sobig.E
Sobig.E is one of the most prolific variants of the Sobig
worm family. Once again it is a mass-mailing worm that sends
itself to all the email addresses that it finds in the files
with .dbx, .eml, .htm, .html, .txt, and .wab extensions. Infected
messages, which appear to come from support@yahoo.com, have
a variety of subject lines, including (but not limited to)
“004448554.pif,” “Application.pif,”
“Applications.pif,” “movie.pif,” “Movie.zip,”
“new document.pif,” “Referer.pif,”
“Re: Application,” “Re: Document,”
“Re: Documents and Your application,” “Re:
Movie,” “Re: Movies,” “Re: Screensaver,”
“Re: Submitted,” “Screensaver.scr,”
and “submited.pif.” Sobig.E also creates the following
attachment names: “Application.zip,” “Document.zip,”
“Screensaver.zip,” and “Your_details.zip.”
Sobig.E, like the other variants, targets the installation
folder, first installing winssk32.exe and then msrrf.dat.
It then adds the value, SSK Service"="%Windir%\winssk32.exe,
to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key in the Registry of the infected system. In Windows NT,
2000 and XP systems it also adds the same value to
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Just like its predecessors, it tries to connect to unprotected
shares on remote Windows systems to copy itself to Windows\All
Users\Start Menu\Programs\StartUp and Documents and Settings\All
Users\Start Menu\Programs\Startup. Sobig.E is more dangerous
than any previous version of Sobig, however, in that it can
download arbitrary files to infected systems and then run
them, enabling this worm to glean sensitive system information
and also to set up spam relay servers on compromised systems.
Additionally, this variant of Sobig has a self-update feature
that enables Sobig.E’s author to learn of the particular
systems that have become infected. Infected systems attempt
to contact a master server by connecting to UDP port 8998
of that server and also open UDP ports 995 – 999 on
each infected system. As in the case of several other Sobig
variants, Sobig.E is programmed to become inactive on July
14, 2003.
Top
The
Sobig.F Worm
The Sobig.F worm is yet another mail-borne worm that targets
Windows systems. It arrives as a mail attachment with a subject
such as “Re: Details,” “Re: Re: My details,”
“Re: Approved,” “Re: Your application,”
“Re: Thank you!,” and “Thank you!”
The attachment is named “application.zip,” “details.zip,”
“document_all.zip,” “document_9446.zip,”
“movie0045.zip,” “thank_you.zip,”
“ wicked_scr.zip,” “your_details.zip,”
or “your_document.zip.”
Don't Open the Attachment
The attachment remains benign if users don't open it. If
anyone opens the attachment and Norton AntiVirus is not up
to date, the trouble begins.
Sobig.F copies itself into an infected system as winppr32.exe,
then adds an entry ("TrayX"="%systemroot%\
winppr32.exe/sinc") to the Run key in the Registry so
that it starts every time the infected system is booted. It
can download and run arbitrary executables, one of which sends
system information to predesignated addresses and another
of which creates a spam relay server. Sobig.F also tries to
connect to UDP port 8998 of a master machine under the control
of the culprit who wrote this worm to obtain a URL for a site
from which updates to the worm code can be obtained.
Update attempts occur on Mondays or Fridays between noon
and 5 p.m. PDT. Sobig.F also opens UDP ports 995–999
on infected systems for possible changes to the set of master
servers.
Cleaning Up
There is not a Sobig.F removal tool, so cleaning up a Sobig.F
infection must be done manually. Procedures are described
at the W32.Sobig.F@mm
on the Symantec Web site. To prevent a Sobig.F infection,
be sure to keep your system’s Norton
AntiVirus up to date and avoid opening email attachments
from anyone you do not know.
Top
Eradicating Sobig
Recommended procedures for removing this worm are available
from the Symantec
Web site. Cleaning a system infected by every variant
of Sobig except for Sobig.D (which Symantec claims is easy
to remove) is generally easiest if you first download a Sobig
removal tool. Different versions of the tool corresponding
to particular Sobig variants are available:
Top
|
