New Virus to Watch Out For

The machines we love to hate

Moderator: Wiz Feinberg

Smiley Roberts
Posts: 4564
Joined: 3 Dec 1999 1:01 am
Location: Hendersonville,Tn. 37075

New Virus to Watch Out For

Post by Smiley Roberts »

Here's What it does to you.....

W32/Sobig.E
added June 26
The CERT/CC has received reports of a variant of the Sobig mass-emailing worm, referred to as "W32/Sobig.E." It arrives as an attachment with a .zip extension. Within that .zip file is a file with either a .scr or .pif extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in files with a .wab, .dbx, .htm, .html, .eml, or .txt file extension. Additionally, this worm spoofs the "From" address, therefore it is likely that the sender address is not that of the infected user.

Upon execution, the worm places the following files in the "%Windir%" directory:

winssk32.exe (copy of worm)
msrrf.dat (configuration file)

The following registry keys are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SSK Service"="%Windir%\winssk32.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SSK Service"="%Windir%\winssk32.exe"

The worm also attempts to propogate by copying itself to the following folders:

Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows\All Users\Start Menu\Programs\StartUp\

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

Users may also wish to consider filtering email attachments with the extensions listed above.

You may also wish to visit the CERT/CC's computer virus resources page. www.cert.org/other_sources/viruses.html
------------------
<font face="monospace" size="3"><pre> ~ ~
©¿© It don't mean a thang,
mm if it ain't got that twang.
www.ntsga.com</pre></font>


<FONT SIZE=1 COLOR="#8e236b"><p align=CENTER>[This message was edited by Smiley Roberts on 27 June 2003 at 02:04 PM.]</p></FONT>
Top
User avatar
Joey Ace
Posts: 9791
Joined: 11 Feb 2001 1:01 am
Location: Hamilton, Ontario, Canada

Post by Joey Ace »

So, is this a good thing or a bad thing?
Image

There's a removal tool here: http://www.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html







------------------
<img align=left src="http://www.joeyace.com/img/joey2.jpg" >
-j0ey-
www.JoeyAce.com

Top
User avatar
Ken Lang
Posts: 4708
Joined: 8 Jul 1999 12:01 am
Location: Simi Valley, Ca

Post by Ken Lang »

Upon execution, the worm places the following files in the "%Windir%" directory:

How about we execute the developer of the worm? At least chop off all the fingers.

I'm serious, at least about the fingers. This virus stuff has gone far enough. It's not funny anymore.

Top

Return to “Computers”