Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sobig.D

Win32/Sobig.D, a mass mailing worm, was discovered in e-mail attachments on June 18th, 2003. It will seize its activities on July 2nd, 2003 due to its internal timing algorithm disabling the execution as of this date.
NOD32 clients using V2, did not need any virus definition signature database update since NOD32's advanced heuristics (introduced in April earlier this year), was capable of detecting the worm the very same moment it hit the streets. The worm is spreading from the infected computer via e-mails containing infected attachments and also within network environment via the shared folders.
The code and behavior of this warm is almost identical to that of its older 'brother' - WIN32/Sobig.C, therefore, the new worm is nothing 'to write home about'. There are few differences in the Subject, message body, names of the infected e-mail attachments files and few other details described below. To retrieve the new recipients of the infected e-mails, the worm searches through the files with the following extensions:

txt
eml
html
htm
dbx
wab

Several alternative subjects may appear in the infected e-mail, selected from the following list:

Re: Application
Your application
Re: Accepted
Re: Screensaver
Re: Your Application (Ref: 003844)
Application Ref: 456003
Re: Movies
Re: App. 00347545-002
Re: Documents

The infected message body is limited to the following suggestion:

See the attached file for details

The malicious payload is activated when a user clicks the infected attachment on an unprotected computer. The attachment can have one of the names from the following list:

Application.pif
Applications.pif
Accepted.pif
Screensaver.scr
Application844.pif
ref_456.pif
movies.pif
app003475.pif
Document.pif

To provide worm's further activation, the following new item, "SFtrb Service " with the path pointing to cftrb32.exe file (the worm body located (copied) in(to) the Windows System directory) is created in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The worm also creates additional data file: rssp32.dat, in the Windows system directory.
Clients using NOD32, v.2, are fully protected against the worm without any need of program update. Detection of the worm based on its signature has been added as of v.1.442 (and higher).