Malware Name: WORM_SOBIG.F
Aliases: Win32.HLLM.Reteras
Overall Risk Rating: Medium
Damage Potential: High
Distribution Potential: High
Trend Micro customers should download pattern file #618 at
www.trendmicro.com/download/pattern.asp. Trend Micro Control
Manager(tm) Outbreak Prevention Policy #48, and Trend Micro System Cleaner # 162 ver 03 will be available shortly. Non Trend Micro customers should scan their IT systems with Trend Micro's free online scanner, Housecall, which can be found at
http://housecall.trendmicro.com/.
This worm propagates by mass-mailing copies of itself using its own Simple Mail Transfer Protocol (SMTP) engine. It collects email addresses from files with the following extensions:
DBX
HLP
MHT
WAB
HTML
The email message it sends out contains the following details:
Subject: <any of the following:>
Re: Thank you!
Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Message body: <any of the following:>
See the attached file for details.
Please see the attached file for details.
Attachment: <any of the following:>
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
Re: Thank you!
It runs on Windows 95, 98, ME, NT, 2000, and XP systems.
Upon execution, this worm drops a copy of itself in the Windows folder as
winppr32.exe:
%Windows%\winppr32.exe
(Note: %Windows% is your Windows folder which by default is C:\Windows for Windows 9x, ME, and XP or C:\Winnt for Windows NT, and 2000 systems)
It also drops a non-malicious text file, winstt32.dat, in the Windows
folder:
%Windows%\winstt32.dat
To ensure that it is automatically executed at every Windows startup, it adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
TrayX = "%Windows%\winppr32.exe /sinc"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
TrayX = "%Windows%\winppr32.exe /sinc"
For more information, please visit:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOB
IG.F
# # #
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has its European headquarters in Marlow, England, and business units worldwide.
Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit:
http://www.trendmicro-europe.com
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners.
For further information, please contact:
Annegees van Linge
Lammers van Toorenburg Benelux PR
T: +31 (0)30 6565 070
E: annegees@lvtpr.nl