Virus/worm update

What follows is a brief description of how they work.

SOBIG
W32/Sobig.f@MM is a mass-mailing worm which arrives as an email attachment with a .pif or an .src extension. The virus then sets up its own mail component (SMTP engine) on the host computer. Then it randomly selects an email address taken from an email in the user's Inbox. Finally it sends a self-generated email to this harvested email address.

The maddening aspect of this is that this "spoofing" of the infected user's "From:" field makes it appear to the recipient of the email that the sender is in fact that user. Unfortunately the text in both the "Subject:" and "Body" fields varies so one cannot create rules to delete such emails, however the following format has been noted.

Subject line: Chosen from -
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!

Message text: Chosen from -
Please see the attached file for details.
See the attached file for details

Attached file: Chosen from -
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif

As a rule of thumb, if something looks suspicious delete it. The worm copies itself onto the infected machine as C:\WINNT\WINPPR32.EXE.

More SOBIG information


Blaster
This worm targets Windows 2000 and Windows XP machines. Windows NT and Windows 2003 Server machines are vulnerable if not properly patched. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and then execute it. Upon execution Windows XP and Windows Server 2003 systems might try to reboot every few minutes without user input; Windows NT 4.0 and Windows 2000 systems will become unresponsive. Unlike SOBIG, W32.Blaster does not have mass-mailing functionality.

More Blaster information