Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sobig.A

W32/Sobig

Win32/Sobig.A is a worm spreading as aan email file attachment.  The worm has a file size of 65536 bytes and is compressed.  After unpacking its size is approximately 122 KB.

Win32/Sobig.A arrives as message with one of the following subjects:

Re: Movies
Re: Sample
Re: Document
Re: Here is the sample

There is a file with the worm in the attachment that may have the name Movie_0074.mpeg.pif, Document003.pif, Untitled1.pif or Sample.pif.

Note: In following text a symbolic %windir% variable is used instead of the name of directory in which the Windows operating system is installed. Of course, this may differ from installation to installation.

When started the worm is copied into the directory %windir% using the file-name winmgm32.exe .  The worm also creates the sntmls.dat in the same directory.  The worm assures its activation after restarting the operation system by creation of the item WindowsMGM in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. It sets the item value to point to its copy in the directory %windir%.

The worm collects the email addresses to spread from files with extensions HTM, EML, HTML, WAB, TXT a DBX.

Win32/Sobig.A has the ability to spread in local area networks.  It creates the file winmgm32.exe on available network drives and in directories Windows\All Users\Start Menu\Programs\StartUp or Documents and Settings\All Users\Start Menu\Programs\Startup.  Programs located in these directories will be run automatically when a user logs into the system thus enabling attacks on  the computer.

NOD32 detects the Win32/Sobig.A from version 1.344.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.