- It is the new variant of Sobig and Sobig.B worms, appeared last 19th May. They infected numerous corporate environments
- As the previous versions, Sobig.C has it own SMTP engine to distribute itself through e-mail. It makes that worm so dangerous
MADRID, June, 1st, 2003
Panda Software recommends users to stay on their guard against the appearing of the new worm Sobig.C. The international technical support had receiving some incidents caused by this new malicious code. Its prebious versions, Sobig and Sobig.B, infected numerous corporate environments in just few hours. For this reason, and to avoid being affected by this new worm, the company recommends to all customers to update their antivirus on www.pandasoftware.com/download/updates, or install the protection as soon as possible if they don’t have it yet.
Sobig.C has been developed in Microsoft Visual C++. It affects Win9x, ME, NT, 2000 and XP systems and has a size of 59.211 Bytes (compressed by UPX).
The new worm Sobig.C, as th eprevious versions, can distribute itself thanks to it own SMTP engine. Sobig.C spreads via e-mail, using its own SMTP engine, to all addresses it finds in the affected computer in files with the following extensions: .TXE, .EML, .HTM*, .DBX, and .WAB..
The ‘From’ field in the e-mail that carries the worm displays different address extracted from the computed affected. It uses the “Social engineering” as it comes from a known addresses and try to mislead users.
The message subject is variable, and could include any of the following:
Re: 45443-343556
Re: Approved
Approved
Re: Movie
Re: Your application
Re:Application
Re: Submited (004756-3463)
The name of the attached file that actually contains Sobig.C is also variable, and could be:
Screensaver.scr
movie.pif
submited.pif
45443.pif
approved.pif
application.pif
document.pif
documents.pif
The message body has only one sentence: “Please, see the attached file.”
Once installed in the computer, the worm tries to copy itself in the following network address, if available:
- \Documents and Settings\All Users\Start Menu\Programs\Startup\
- \Windows\All Users\Start Menu\Programs\Startup\
When executed, the worm copies in the folder %windir% a file called “mscvb32.exe”, containing the worm code and creates another file called msddr.dat.
In addition, Sobig.C adds the following registry entries to get control of the system on each reboot:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
System MScvb = %windir%\mscvb32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
System MScvb = %windir%\mscvb32.exe (donde %WinDir% es el directorio de Windows por defecto, por ejemplo, Winnt o Windows).
All Panda Software customers can Update their antivirus because the signature file update is available. To all the users without any antivirus protection, they can use on line Panda ActiveScan for free, in www.pandasoftware.com or download any Panda Antivirus trial version in www.pandasoftware.com/download.
About Panda Software's virus laboratory
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.
For more information:
Yolanda Ruiz
yruiz@pandasoftware.es
Tel. +34 91 806 37 00