[windows2000] Virus Alert: SOBIG Worm

  • From: Jim Kenzig <jimkenz@xxxxxxxxxxxxxx>
  • To: windows2000@xxxxxxxxxxxxx, thin@xxxxxxxxxxxxx,ossecurityalert@xxxxxxxxxxxxx
  • Date: Mon, 13 Jan 2003 13:28:21 -0500

This one appears to be spreading fast. It has already reached #5 in trends
top ten viruses.
JK

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.A
This memory-resident, multi-threaded worm propagates via email and shared
network folders.
It sends copies of itself via email using its own Simple Mail Transfer
Protocol or SMTP engine and obtains its target recipients from addresses
found in files with the following extensions:
*       WAB
*       DBX
*       HTM
*       HTML
*       EML
*       TXT
The details of the email that it sends are as follows:
Sender: big@xxxxxxxx
Subject: <could be any of the following>
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample
Attachment: <could be any of the following>
Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif
This worm also downloads files from remote Web sites.
Solution:

Terminating the Malware Program
This procedure terminates the running malware process from memory.
        Open Windows Task Manager.
        On Windows 9x/ME systems, press
        CTRL+ALT+DELETE
        On Windows NT/2000/XP systems, press
        CTRL+SHIFT+ESC, and click the 1 Processes tab.
        In the list of running programs*, locate the process:
        WINMGM32
        Select the malware process, then press either the End Task or the End
Process button, depending on the version of Windows on your system.
        To check if the malware process has been terminated, close Task Manager,
and then open it again.
        Close Task Manager.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from
executing during startup.
        Open Registry Editor. To do this, click Start>Run, type REGEDIT, then 
press
Enter.
        In the left panel, double-click the following:
        HKEY_LOCAL_MACHINE>Software>Microsoft>
        Windows>CurrentVersion>Run
        In the right panel, locate and delete the entry or entries:
        WindowsMGM
        In the left panel, double-click the following:
        HKEY_CURRENT_USER>Software>Microsoft>
        Windows>CurrentVersion>Run
        In the right panel, locate and delete the entry or entries:
        WindowsMGM
        Close Registry Editor
NOTE: If you were not able to terminate the malware process from memory as
described in the previous procedure, restart your system.
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as
WORM_SOBIG.A. To do this, Trend Micro customers must download the latest
pattern file </download/pattern.asp> and scan their system. Other Internet
users can use HouseCall, Trend Micro's free online virus scanner
<http://housecall.antivirus.com>.
Deleting Malware Files
On Windows 9x/NT
        Click Start>Find>Files and Folders.
        In the Named input box, type:
        DWN.DAT;SNTMLS.DAT
        In the Look In drop-down list, select the drive which contains Windows,
then press Enter.
On Windows 2000/ME/XP
        Click Start>Search>For Files and Folders.
        In the Search for files and folders named input box, type:
        DWN.DAT;SNTMLS.DAT
        In the Look In drop-down list, select the drive which contains Windows,
then press Enter.
Once the files are found right-click each file then select DELETE. Click YES
when prompted.
Additional Windows ME/XP Cleaning Instructions
<http://www.trendmicro.com/en/security/advisories/win_me_clean.htm>
Trend Micro offers best-of-breed antivirus and content-security solutions
for your corporate network
<http://www.antivirus.com/banners/tracking.asp?si=88&bi=211&ul=/products/>
or home PC
<http://www.antivirus.com/banners/tracking.asp?si=88&bi=210&ul=/pc-cillin/>.




==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm

Other related posts:

  • » [windows2000] Virus Alert: SOBIG Worm