Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sobig.C

Win32/Sobig.C was discovered in e-mail attachments on May 31, 2003. The similarity with Sobig.B (Aka Palyh.A) is, among other things, manifested in the 'Sender' field. While the B variant pretended to be sent from the Microsoft support, the new variant is even more 'personal', it pretends (in some cases) to be coming from the Microsoft founder himself: "bill@microsoft.com". Other alternative senders are also possible.

Several alternative subject may appear in the infected e-mail, selected from the following list:

Re: Application
Re: Your application
Approved
Re: Approved
Re: 45443-343556
Re: Submited (004756-3463)
Re: Movie
Re: Screensaver
Screensaver

The infected message body is limited to a simple suggestion:

Please see the attached file

The malicious payload is activated when a user clicks the infected attachment on an unprotected computer. The attachment can have one of the names in the following list:

document.pif
application.pif
approved.pif
documents.pif
45443.pif
submited.pif
movie.pif
screensaver.scr

To provide worm's further activation, the following new item, "System MScvb" with the path pointing to mscvb.exe file (the worm) located in the Windows System directory is created in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

The worm is also able to spread in network environment in the same way as variant B.

Clients using NOD32, v.1.422, are fully protected against the worm.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.