F-Secure: Be Sure

Select local site

F-Secure Virus Descriptions : Sobig.E

NAME:	Sobig.E
ALIAS:	I-Worm.Sobig.gen, W32/Sobig.E@mm, Win32.HLLM.Reteras

A new variant of Sobig, known as Sobig.E was first found on June 25th, 2003 and it is spreading in the wild. The worm usually arrives in e-mails with body text "Please see the attached zip file for details." and attachment "your_details.zip".

Technical Description

The worm's file is a PE executable 86528 bytes long compressed with Aspack and TELock file compressors. The unpacked worm's file size is over 130 kilobytes. Most of text strings in the worm's body are encrypted with a complex algorithm. The worm decrypts its strings on-demand.

Installation to system

When an infected attachment is run by a user, the worm installs itself to system. It copies its file as WINSSK32.EXE to Windows folder and creates startup keys for that file in System Registry:

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "SSK Service" = "%windir%\winssk32.exe

 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
 "SSK Service" = "%windir%\winssk32.exe

where %windir% represents Windows directory. This is done to make sure that the worm's copy is run during every Windows session.

Additionally the worm can create the MSRRF.DAT file in Windows folder for its own use.

Spreading in e-mails

The worm spreads itself in e-mails. The infected message is composed by the worm from different, randomly selected subjects, a fixed message body and different, randomly selected attachment names. The worm's file is sent inside a ZIP archive attached to an infected message.

The worm has the following subjects hard-coded in its body:

 referer.pif
 004448554.pif
 re.document.pif
 new_document.pif
 submited.pif
 Screensaver.scr
 movie.pif
 Applications.pif
 Application.pif
 Your application
 Re: Re: Document
 Re: Re: Application ref. 003644
 Re: Documents
 Re: Screensaver
 Re: Submited (Ref: 003746)
 Re: Movies
 Re: Movie
 Re: Application

The worm has the following attachment names hard-coded in its body. The worm's executable file name that is sent in an archive is given in brackets:

 Movie.zip		(Movie.pif)
 screensaver.zip	(sky_world.scr)
 document.zip		(document.pif)
 application.zip	(application.pif)
 your_details.zip	(details.pif)

However, so far we only saw messages with the following characteristics:

Subject:

 Re: Application

 Re: Movie

Body:

 Please see the attached zip file for details.

Attachment:

 your_details.zip

The attachment contains the worm's file with DETAILS.PIF name. The fact that the worm uses only 2 subjects and 1 attachment name indicates that the randomizing routine of the worm has a bug.

Here's a screenshot of an infected message sent by the worm:

To get victims' e-mail addresses the worm scans files with the following extensions:

 .WAB
 .DBX
 .HTM
 .HTML
 .EML
 .TXT

The worm fakes the sender's e-mail address in "From:" field. It can be 'support@yahoo.com' or any other e-mail address that the worm finds on an infected system.

Sobig.E worm has its own SMTP engine. It has a list of SMTP servers inside its body and it uses these servers to spread itself.

Spreading in local network

The worm enumerates network resources and tries to locate startup folders on remote computers:

 \Windows\All Users\Start Menu\Programs\StartUp\
 \Documents and Settings\All Users\Start Menu\Programs\Startup\

If the worm finds any of these folders, it copies itself there. A remote computer will become infected with the worm after next restart.

Backdoor routine

The worm has the ability to download and run files on an infected system. A hacker can send an URL to the worm (through the port that the worm listens to) and the worm downloads and runs the file that the URL points to. This feature can allow to update the worm or to upload trojans or backdoors to an infected computer.

Deactivation routine

The Sobig.E worm like its earlier variants has a limited lifetime. It stops spreading on 14th of July 2003.

Detection

F-Secure Anti-Virus detects Sobig.E as 'I-Worm.Sobig.gen' using generic detection. However, the exact detection was published on June 25th, 2003 in update:

Sobig history

The following table shows all the Sobig variants, with their expiration dates and when they were first found in the wild. The "Detection" field refers to when we first had databases which detected the corresponding variant.

 Variant         Found           Expires         Detection
 _____________________________________________________________
 Sobig.A         January 9th     NO              2003-01-09_04
 Sobig.B         May 18th        May 31st        2003-05-19_03
 Sobig.C         May 31st        June 8th        2003-06-01_01
 Sobig.D         June 18th       July 2nd        2003-06-18_03
 Sobig.E         June 25th       July 14th       2003-06-26_02
 Sobig.F         August 19th     September 10th  2003-08-19_02
 _____________________________________________________________

[FSAV_Database_Version]

Version=2003-06-25_04

The worm is detected when it is extracted from the zip file. In order to detect the worm in the gateway level, the archive scanning must be enabled.

Disinfection Tool

F-Secure has created a special removal tool to remove the active Sobig.E infection and all its traces. The tool is available from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.zip

Instructions for the removal are in this file:

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.txt

[Description: F-Secure Anti-Virus Research Team; June 25-26th, 2003]