Virus Alert: Sobig.E Threat Level Upgraded
Several antivirus software vendors on Thursday upgraded the threat level of the Sobig.E variant to medium, following increasing reports that the worm is spreading.
Sobig.E was first found on June 25 and it is spreading in the wild. The worm usually arrives in e-mails with body text "Please see the attached zip file for details." and attachment "your_details.zip."
The worm's file is a PE executable 86528 bytes long compressed with Aspack and TELock file compressors. The unpacked worm's file size is over 130 kilobytes. Most of text strings in the worm's body are encrypted with a complex algorithm. The worm decrypts its strings on-demand. When an infected attachment is run by a user, the worm installs itself to system.
It copies its file as WINSSK32.EXE to Windows folder and creates startup keys for that file in System Registry. View them and other information at this F-Secure page.
Antivirus software vendor Sophos reports that Sobig-E (W32/Sobig-E) is the fifth variant of the Sobig worm -- but it varies from its older siblings as it spreads itself in the form of a ZIP file. Even though the user has to unZIP the offending file and launch its content to become infected, some business networks are still falling victim to the worm.
Sophos advises all businesses to keep their virus protection up-to-date and educate their users about the perils of unsolicited code.
The best defense against Sobig-E is to get into the habit of never running unsolicited code and keep the email gateway and desktop virus protection up-to-date, a Sophos spokesman said.
Sobig-E is programmed to fall dormant on July 14 as all the Sobig worms have had limited life spans. If the virus writer continues with this pattern, Sophos says it would not be surprised if a sixth version of the worm were released shortly after the demise of Sobig-E.
More details of Sobig-E can be found at this Sophos page.
PWS-Sincom Steals Passwords
This detection is for a password stealing Trojan written in MSVC.
At least two variants of this Trojan exist. When run on the victim machine, the Trojan executable copies itself to the Windows directory, and drops a DLL into the Windows System directory. For example:
A Registry key is added to hook system startup, for example:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "kernel" = C:\WINDOWS\BBOY.EXE
(Registry key name and filename may change.)
Strings within the DLL component suggest it is intended to terminate processes containing strings that can be viewed at this McAfee page:
Multidropper-GN Drops 'Joke' File
This threat is detected as Multidropper-GN. The Trojan will drop winlp32.exe which is detected as Backdoor-AGS. It will also drop the file ~tmp2.exe which is detected as SlipperyMouse joke.
Read more here.
Backdoor-AGQ Takes Snapshot of User's Desktop
This threat is detected as Backdoor-AGQ. There are several versions of this remote access Trojan.
When the Trojan is executed, it will make a snapshot of the user's desktop and save it desktop.jpg in the windows directory. System information such as Network logon username, Registered owner and the snapshot are then sent to the author.
A typical interface for this Trojan can be viewed at this McAfee page.
Virus Infects all .com and .exe Files on C, D Drives
HLLP.Tivo.8784 is a prepending, memory-resident DOS virus that infects all the .com and .exe files in drives C and D, and in the system path. The size of an infected file is increased by 8,784 bytes.
Technical details are at this Symantec page.
Compiled by Esther Shein.