 |
Yet another Sobig worm variant is loose By Robert Vamosi New worm gives us yet another reason not to open attached e-mail files (6/25/03)  The latest in a family of Sobig worms is loose on the Internet. Sobig.e (w32.sobig.e@mm) arrives by e-mail with an attached file and also spreads using shared network files. Unlike previous variations of Sobig, this one uses subject headings borrowed from Sobig.c and only one attached filename, making it somewhat easier to recognize. Sobig.e affects only Windows users. Once executed, however, Sobig.e will attempt to send copies of itself via its own SMTP engine. It will also attempt to download Trojan horse files from a Web site. Sobig.e is self-terminating and will spread only until July 14, 2003. Because Sobig.e spreads via e-mail and network share and may steal personal information such as passwords, this worm rates a 6 on the ZDNet Virus Meter
How it works
Application Ref: 456003 The attached file is your_details.zip. Since ZIP files are ignored by most extension-blocking rules within e-mail clients, you should not attempt to open this file. Some copies of Sobig.e sent from infected machines may produce attached files with only a .zi extension. The body text for Sobig.e may also read "Please see the attached zip file for details." This worm does not automatically execute. Therefore, you must open the attached file to become infected with Sobig.e. Upon execution, the worm adds the following files to the default Windows directory: WinSSK32.EXE (Copy of the worm) MSRRF.DAT (configuration file) Upon execution, the worm will search for saved files with these extensions looking for e-mail addresses embedded within:
TXT Sobig.e may contain a list of NT servers and opens a port (port 123) to send packets to those servers.
Removal |
