IT & the Lawyer

Virus/worm update

What follows is a brief description of how they work.

W32/Sobig.f@MM is a mass-mailing worm which arrives as an email attachment with a .pif or an .src extension. The virus then sets up its own mail component (SMTP engine) on the host computer. Then it randomly selects an email address taken from an email in the user's Inbox. Finally it sends a self-generated email to this harvested email address.

The maddening aspect of this is that this "spoofing" of the infected user's "From:" field makes it appear to the recipient of the email that the sender is in fact that user. Unfortunately the text in both the "Subject:" and "Body" fields varies so one cannot create rules to delete such emails, however the following format has been noted.

Subject line: Chosen from -
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!

Message text: Chosen from -
Please see the attached file for details.
See the attached file for details

Attached file: Chosen from -

As a rule of thumb, if something looks suspicious delete it. The worm copies itself onto the infected machine as C:\WINNT\WINPPR32.EXE.

More SOBIG information

This worm targets Windows 2000 and Windows XP machines. Windows NT and Windows 2003 Server machines are vulnerable if not properly patched. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and then execute it. Upon execution Windows XP and Windows Server 2003 systems might try to reboot every few minutes without user input; Windows NT 4.0 and Windows 2000 systems will become unresponsive. Unlike SOBIG, W32.Blaster does not have mass-mailing functionality.

More Blaster information

Leave a comment:

Security Picture (click to change)
Word shown in picture:
menu close

Search Articles