W32/SoBig.C Last Updated 06/02/03 12:00pm
The w32/SoBig.C email virus is spreading in the wild. w32/SoBig.C is a mass mailing worm that also spreads through open network shares. The worm spoofs the address of the sender with a random address and uses its own SMTP engine to send mail from the infected client.
The subject of the email may be one of the following:
- Approved
- Re: 45443-343556
- Re: Application
- Re: Approved
- Re: Movie
- Re: Screensaver
- Re: Submited (004756-3463)
- Re: Your application
The attachment name is created at random and is known to have a .PIF or .PI extension.
The body of the message is: Please see the attached file.
When the attachment is run, the following files are dropped in the default Windows (typically C:\Windows, C:\WINNT) directory:
- "mscvb32.exe" (approx 50kB) (a copy of itself)
- "msddr.dat" (configuration file)
W32/SoBig.C creates the following registry keys to load itself at system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "System MScvb" = %WinDir%\mscvb32.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System MScvb" = %WinDir%\mscvb32.exe
On Windows NT4/2000/XP systems w32/SoBig.C creates a service named mscvb32.exe.
The current 4268 DAT/SuperDAT released by NAI will detect and remove w32/SoBig.C.
The definitions released 6-1-2003 and later by Symantec detect and remove w32/SoBig.C. The definitions are available through the LiveUpdate feature of Norton Antivirus.
For more information see:
http://vil.nai.com/vil/content/v_100343.htm from NAI regarding w32/SoBig.C.
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html from Symantec regarding w32/SoBig.C.
This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.
