[windows2000] Alert! Lookout !!! New variant of Sobig Virus.
- From: "Jim Kenzig http://thethin.net" <jimkenz@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>, <windows2000@xxxxxxxxxxxxx>
- Date: Tue, 19 Aug 2003 22:52:03 -0400
I just got 1300 messages with this one in it!!!! Trend says medium
alert...Id rate it much higher!
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F
QUICK LINKS Solution
----------------------------------------------------------------------------
----
Virus type: Worm
Destructive: No
Aliases: Win32.HLLM.Reteras, W32.Sobig.F@mm, W32/Sobig.f@MM, Sobig.F,
Win32.Sobig.F, W32/Sobig-F, I-Worm.Sobig.f
Pattern file needed: 617
Scan engine needed: 6.100
Overall risk rating: Medium
----------------------------------------------------------------------------
----
Reported infections: Medium
Damage Potential: High
Distribution Potential: High
----------------------------------------------------------------------------
----
Description:
TrendLabs has received several infection reports of this mass-mailing worm
from Norway and Spain. As of 12:19 PM GMT, Trend Micro has declared a Medium
Risk alert to control the spread of this malware.
This worm propagates by mass-mailing copies of itself using its own Simple
Mail Transfer Protocol (SMTP) engine. It collects email addresses from files
with the following extensions:
DBX
HLP
MHT
WAB
HTML
HTM
TXT
EML
It sends out email messages with the following details:
Subject: <any of the following:>
Re: Thank you!
Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Message body: <any of the following:>
See the attached file for details.
Please see the attached file for details.
Attachment: <any of the following:>
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
It may spoof the FROM field using email addresses found on the infected
machine so that its email messages appear to originate from one source but
was actually sent from another.
This worm deactivates its propagation routine on September 10, 2003.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use the Trend
Micro System Cleaner.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your system with your Trend Micro antivirus product.
NOTE all files detected as WORM_SOBIG.F.
Trend Micro customers need to download the latest pattern file before
scanning their system. Other Internet users may use Housecall, Trend Micro?s
free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will
need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected
earlier.
Select one of the detected files, then press either the End Task or the End
Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and
then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show
certain processes. You may use a third party process viewer to terminate the
malware process. Otherwise, continue with the next procedure, noting
additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from
executing during startup.
To remove the malware autostart entries:
Open Registry Editor. To do this, click Start>Run, type Regedit, then press
Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
TrayX = "%Windows%\winppr32.exe /sinc"
(Note: %Windows% is the Windows folder, which is usually C:\Windows or
C:\WINNT.)
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
TrayX = "%Windows%\winppr32.exe /sinc"
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as
described in the previous procedure, restart your system.
Deleting Dropped File
Right-click Start then click Search? or Find? depending on your version of
Windows.
In the Named input box, type:
WINSTT32.DAT
In the Look In drop-down list, select the drive which contains Windows, then
press Enter.
Once located, select the file then hit Delete.
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as
WORM_SOBIG.F. To do this, Trend Micro customers must download the latest
pattern file and scan their system. Other Internet users can use HouseCall,
Trend Micro?s free online virus scanner.
For product specific solutions, please refer to Solution 16031 of Trend
Micro's Knowledge Base.
Trend Micro offers best-of-breed antivirus and content-security solutions
for your corporate network or home PC.
For additional information about this threat, see Technical Details.
********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you know,
in most cases, CPU Utilization IS NOT the single biggest constraint to scaling
up?! Get this free white paper to understand the real constraints & how to
overcome them. SAVE MONEY by scaling-up rather than buying more servers.
http://www.rtosoft.com/Enter.asp?ID=148
**********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
- » [windows2000] Alert! Lookout !!! New variant of Sobig Virus.
