W32/Sobig.F@mm
Threat risk
|
Detection files published:
19 Aug 2003 |
Description created:
2003-08-19 |
Description updated:
2003-08-21 |
|
Alias:
|
Spreading mechanism
| |
|
Payload:
| ||
Summary
This is another email worm in the Sobig series. File size is about 72295 bytes, though this may vary some. The worm will stop working from Sept. 10th 2003 and onwards.Spreading description
Email characteristics:
Subject: Variable
Body: Variable
Attachment: Variable
The email will have the following characteristics:
Possible subject lines:
Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Possible body text:
See the attached file for details
Please see the attached file for details.
Possible attachment names:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
When run, it will copy itself to the Windows directory under the name winppr32.exe. It creates the registry keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run "TrayX"="[WINDIR]\winppr32.exe /sinc".
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "TrayX"="[WINDIR]\winppr32.exe /sinc".
This enables it to run from startup.
Removal
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Utilisation | Titre | Commentaire |
|---|---|---|
| Stopper la propagation des virus sur les partages réseau | ||
| Cleaning of back-up folders on Windows Me and XP |