A unoriginal e-mail carries a link to a Trojan horse program that could allow others access to infected systems. Sobig (w32.sobig@mm) arrives by e-mail and attempts to download a Trojan horse onto infected systems. Sobig is written in Microsoft Visual C and attempts to infect others via network shares and e-mail, using its own SMTP engine. Because Sobig spreads via e-mail but doesn't clearly damage computer files, this worm rates a 4 on the ZDNet Virus Meter.
How it works
Sobig arrives via e-mail always with the return address big@boss.com. The subject line appears to be in response to a message sent and may include the following examples:
Re: here is that sample
Re: Movies
Re: Sample
Re: Document
The attached files vary in name but all are 65,536 bytes in length: Examples include:
Document003.pif
Sample.pif
Movie_0074.mpeg.pif
Untitled1.pif
Once active, Sobig spreads primarily through network shares by copying itself to the following directories:
Windows\All Users\Start Menu\Programs\Startup\ Documents
Settings\All Users\Start Menu\Programs\Startup
The worm also adds the following value to the system Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM
Users infected with Sobig will find files named winmgm32.exe (file size 65,536), sntmls.dat, and dwn.dat in the Windows directory.
Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached PIF file in Sobig. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Sobig.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, MessageLabs,Norman, Panda, Sophos, Symantec, or Trend Micro.
