EVRT™ Virus Advisory issued for Worm/SoBig.A

Complete description can be read online by clicking here

Details:

Name: Worm/SoBig.A
Alias: Win32.Sobig.A@mm
Type: Internet Worm
Discovered: January 9, 2003
Size: 65.536KB
Platforms: Windows


Description:
Worm/SoBig.A is an Internet worm that spreads through e-mail by using addresses it collects by searching files with the following extensions *.txt, *.eml, *.html, *.htm, *.dbx, and *.wab files.

The worm arrives through e-mail in the following format:

Subject: <selected from the list below>

- Re: Movies
- Re: Sample
- Re: Document
- Re: Here is that sample

Body: <none>

Attachment: <selected from the list below>

- Movie_0074.mpeg.pif
- Document003.pif
- Untitled1.pif
- Sample.pif

If executed, the worm copies itself in the \windows\ directory under the filename, "Winmgm32.exe". Additionally, the files "C:\Windows\reteral[1].txt", "C:\Windows\%sytem%\mptask.exe" and "C:\Windows\%system%\sysmgmt32.dll" gets created. Additionally, the worm will copy itself to the startup directories on all the shared network drives.

So that it gets run each time a user restart their computer the following registry key gets added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM"="C:\\WINDOWS\\winmgm32.exe"
"MPtask Services"="C:\\WINDOWS\\SYSTEM\\mptask.exe"

It will then try to download the file mptask.exe from the following URL:

- http://www.lorico****.com/users/***k/txtfile._

This downloaded file will be recognized as TR/Delf.