Sobig worm opens the door for a Trojan horse - TechUpdate

Tech Update

Sobig worm opens the door for a Trojan horse
By Robert Vamosi
January 10, 2003

Add your opinion

Forward in

Format for

A unoriginal e-mail carries a link to a Trojan horse program that could allow others access to infected systems. Sobig (w32.sobig@mm) arrives by e-mail and attempts to download a Trojan horse onto infected systems. Sobig is written in Microsoft Visual C and attempts to infect others via network shares and e-mail, using its own SMTP engine. Because Sobig spreads via e-mail but doesn't clearly damage computer files, this worm rates a 4 on the ZDNet Virus Meter.

How it works
Sobig arrives via e-mail always with the return address big@boss.com. The subject line appears to be in response to a message sent and may include the following examples:

Re: here is that sample
Re: Movies
Re: Sample
Re: Document

The attached files vary in name but all are 65,536 bytes in length: Examples include:

Document003.pif
Sample.pif
Movie_0074.mpeg.pif
Untitled1.pif

Once active, Sobig spreads primarily through network shares by copying itself to the following directories:

Windows\All Users\Start Menu\Programs\Startup\ Documents
Settings\All Users\Start Menu\Programs\Startup

The worm also adds the following value to the system Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM

Users infected with Sobig will find files named winmgm32.exe (file size 65,536), sntmls.dat, and dwn.dat in the Windows directory.

Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached PIF file in Sobig. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Sobig.

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, MessageLabs,Norman, Panda, Sophos, Symantec, or Trend Micro.

TECH UPDATE TODAY DAILY:
Dan Farber and David Berlind deliver daily insights on the business and technology news that matters to enterprise IT.

	Enterprise Alerts
	Surveys
	Computers: Desktops & Laptops
	IT Management
	Security
	IT Professionals

Manage My Newsletters

Help | Advertisements | Feedback | Reprints | Newsletters

New site: Monitor all the tech news at Technology.Updates.com

CNET.com | CNET Download.com | CNET News.com | CNET Reviews | CNET Shopper.com

About CNET Networks