Details
I-Worm.Sobig.f
Sobig.f is a worm spreading via the Internet as a file attached to infected emails. The Sobig.f worm also spreads through shared network resources.
The worm itself is a Windows PE EXE file that is written in Microsoft Visual C++ and is compressed by the TeLock utility. Its file sizes are typically around 70 KB when compressed (TeLock), while its decompressed size is about 100 KB.
The Sobig.f worm activates only when a user double clicks on the attached file. Once the worm is launched it installs itself in the system and runs its spreading routine.

Installation
During installation the worm copies itself into the Windows directory under the name winppr32.exe and registers itself in the system registry autorun keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TrayX = %WindowsDir%\winppr32.exe/sinc

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TrayX = %WindowsDir%\winppr32.exe/sinc

Spreading via email
To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, WAB, MHT and HLP files in all directories on all available local drives, scans for e-mail like text strings and sends infected e-mails to these addresses. To send infected messages the worm uses the SMTP engine specified in the system properties.
Below are variations of Sobig.f message content:
The From field has fake email address (found on the infected machine) or admin@internet.com.
Subject:
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!
Re: Thank you!
Message Body:
See the attached file for details
Please see the attached file for details.
Attached file name:
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif
The worm also creates the file winstt32.dat in the Windows directory and writes the email addresses that were found on the infected machine to this file.

Spreading via network
The worm scans all accessible network resources (other computers in a network) and copies itself to the auto-start directories (if there are such subdirectories) of each resource (computer) found.

Updating
The worm sends UDP packets at random IP addresses to port 8998 and awaits commands from the ‘master’ machine. The commands contain URLs from which Sobig.f downloads and executes files. Thus, the worm is able to upgrade itself and/or install other applications (Trojans for instance).
Loading additional files
The worm launches a procedure that every 60 minutes checks the current time according to Greenwich meantime. To do this it sends out queries via NTP servers (Network Time Protocol). SoBig.F keeps an internal log from 19 NTP servers; following are the IP addresses of these NTP servers:
200.68.60.246
62.119.40.98
150.254.183.15
132.181.12.13
193.79.237.14
131.188.3.222
131.188.3.220
193.5.216.14
193.67.79.202
133.100.11.8
193.204.114.232
138.96.64.10
chronos.cru.fr
212.242.86.186
128.233.3.101
142.3.100.2
200.19.119.69
137.92.140.80
129.132.2.21

When an NTP server does not reply, the worm invokes the system function for learning the current time – ‘gmtime’. On Fridays and Sundays when the current GM time is between 19:00 and 23:00, the worm begins to download additional files. To download these files it sends out UDP (User Datagram Protocol) packets via the IP address assigned to port 8998. SoBig.f maintains a list of IP addresses in an encoded file. Currently these sites are blocked and therefore do not respond to queries.
List of encoded IP addresses:
67.73.21.6
68.38.159.161
67.9.241.67
66.131.207.81
65.177.240.194
65.93.81.59
65.95.193.138
65.92.186.145
63.250.82.87
65.92.80.218
61.38.187.59
24.210.182.156
24.202.91.43
24.206.75.137
24.197.143.132
12.158.102.205
24.33.66.38
218.147.164.29
12.232.104.221
68.50.208.96

The SoBig.f worm receives replies to its queries in the form of a UDP packet via port 8998. This packet contains an encoded URL (Uniform Resource Locator) file. The SoBig.f worm downloads this file and executes it.
Other
All worm routines are active until September 10, 2003.

Related Posts

This entry was posted on Saturday, November 29th, 2008 at 4:15 am and is filed under Virus Threats.

Details
I-Worm.Sobig.e
Sobig.e is a worm virus spreading via the Internet as a file attached to infected emails. The Sobig.e worm also spreads through open network shares.
The worm itself is a Windows PE EXE file that is written in Microsoft Visual C++ and is compressed by the TeLock utility. Its file sizes are typically around 80K and above when compressed(TeLock), while its decompressed size is about 130K.
Separating Sobig.e from its four predecessors is its use of the Zip file format, what it does after system infection is virtual identical to past Sobig variants.
The Sobig.e worm activates from an infected email only when a user clicks on or unzips the attached file depending on the attachment’s specific format.
When run the worm installs itself to the system and runs its spreading routine.
Installing
While installing the worm copies itself to the Windows directory under the name winssk32.exe and registers itself in the system registry auto-run keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SSK Service = %WindowsDir%\winssk32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SSK Service = %WindowsDir%\winssk32.exe

Spreading: email
To send infected messages the worm uses a via a built-in SMTP engine. To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, and .WAB files in all directrories on all available local drives. From the files it finds Sobig.e retrieves email-like strings.
Below are variations of Sobig.e message content:
The “From” field has fake email address (found on the infected machine) or “support@yahoo.com”

Subject:

“Re: Movie”
“Re: Movies”
“Re: Submited (Ref: 003746)”
“Re: Screensaver”
“Re: Documents”
“Re: Re: Application ref. 003644″
“Re: Re: Document”
“Your application”

Message Body:

‘Please see the attached zip file for details.’

Attached file name:

“details.pif”
“application.zip”
“application.pif”
“document.zip”
“document.pif”
“screensaver.zip”
“sky_world.scr”
“Movie.zip”
“Movie.pif”

The files with the “zip” extension are archives that contain the worm’s executable file.
The worm also creates the file msrrf.dat in the Windows directory and writes to this file the email addresses that were found on an infected machine.
Spreading: via network
The worm takes note of all accessible network resources (other computers in a network) and copies itself to the auto-start directoris (if there are such subdirectories) of each resource (computer) found.
Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\

Updating
The worm opens network connections on ports 995, 996, 997, 998, and 999, and then takes commands from its “master”, and receives data from its “master”. The data comes in the form of some URLs. The worm downloads files from these URLs and executes them. As a result the worm is able to “upgrade” itself with new versions, and/or to install other applications (trojan programs for example).
Other
All worm routines (except “Updating” – see above) are active until July 14, 2003. This means the worm does not run its spreading (both email and network) routines after July 14, 2003.

Related Posts

This entry was posted on Thursday, December 28th, 2006 at 10:00 am and is filed under Virus Threats.

Details
I-Worm.Sobig.c

Sobig.c is a worm virus spreading via the Internet as an infected e-mail file attachment. The worm also spreads via network resources.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and compressed by the UPX compression utility. The file’s size is about 60K or higher when compressed with UPX, while the decompressed size is about 120K.
The worm is activated from infected email only if a user clicks on the attached file.
When run the worm installs itself to the system and runs a spreading routine.
Installing
While installing the worm copies itself to the Windows directory under the name mscvb32.exe and registers itself in the system registry auto-run keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System MScvb = %WindowsDir%\mscvb32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System MScvb = %WindowsDir%\mscvb32.exe

Spreading: email
To send out infected messages the worm uses a direct connection to the default SMTP server.
To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives. It gets email-like strings from the files that are found.
Message attributes include:
The “From” field has a fake email address that is either found on the particular infected machine or “bill@microsoft.com”
Subject:
Re: Screensaver
Re: Movie
Re: Submited (004756-3463)
Re: 45443-343556B37DB6480EC9657E
Re: Approved
Approved78A85131
Re: Your application
Re: Application

Message Body:
Please see the attached file.

Attached file name:
screensaver.scr
movie.pif
submited.pif
45443.pif
documents.pif
approved.pif
application.pif
document.pif

The messages are also sent with attached files that have the file name’s last letter cut:

screensaver.sc
movie.pi
submited.pi
45443.pi
documents.pi
approved.pi
application.pi
document.pi

The Sobig.c worm also creates the file msddr.dat in the Windows directory and writes to this file the email addresses that were found on the infected machine.
Spreading via networks
The worm accounts for all accessible network resources (other computers in a network) and copies itself into their auto-start directoris (if there are such subdirectories)
Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\

Updating
The worm downloads files from four Web locations (these locations are “hardcoded” into the worm body) and executes them. As a result the worm is able to “upgrade” itself with new versions, and/or install other applications such as trojan programs and spyware.
Other
All worm routines (except the “Updating” feature) are active until June 8, 2003 only. This means the worm does not run its spreading routines (both email and network) after June 8, 2003.

Related Posts

This entry was posted on Thursday, December 28th, 2006 at 8:00 am and is filed under Virus Threats.

Details
I-Worm.Sobig.b
This is a worm virus spreading via the Internet as a file attachment to infected emails. The worm also spreads via local area networks.

The worm itself is a Windows PE EXE file, written in Microsoft Visual C++, and is compressed by UPX. File size ranges from 50KB (UPX) and above – the decompressed size is 110KB and above.

The worm activates from infected email only when a user clicks on the attached file.

When run the worm installs itself to the system and runs its spreading routine.

Installing

While installing the worm copies itself to the Windows directory under the “msccn32.exe” name and registers itself in the system registry auto-run keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
Because of a bug the worm in some cases copies itself to the wrong directories (root drive, current directory), but despite this, its spreading routines will activate upon the next computer restart.

Spreading via email

To send infected messages the worm uses a direct connection to the default SMTP server. To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directories on all available local drives. Palyh then gets email-like strings from files the files that are found.

Messages contain the following attributes:

From:

support@microsoft.com
Subject:

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details
Message Body:

All information is in the attached file.
Attached file name:

your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif
The worm also creates a file named “hnks.ini” in the Windows directory and writes to this file the email addresses that were found on an infected machine.

Spreading via network

The worm enumerates all accessible network resources (other computers in a network) and copies itself to into the present auto-run directories.

Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\
Updating

The worm downloads files from four Web addresses (they are “hardcoded” in the worm body) and executes them. As a result the worm is able to “upgrade” itself with new versions, and/or install other applications (trojan programs, for example).

Other

All worm routines (except “Updating” – see above) are active until May 31, 2003. Meaning, the worm does not run its spreading (both email and network) routines after May 31, 2003.

Related Posts

This entry was posted on Thursday, December 28th, 2006 at 4:00 am and is filed under Virus Threats.