Hybinette
 August 2003 Newsletter
Thursday, August 21, 2003 Issue 19   VOLUME 1 ISSUE 19  
HOME
LETTERS

There are no letters for this article. To post your own letter, click Post Letter.

[POST LETTER]
CONTENTS
Computer Security Tip of the Month
10 Ways to Protect Your Company Against Cyber Attacks – Part 2
Hybinette Announces Fall 2003 Events
Microsoft Declares Windows NT 4.0 Officially Obsolete July 1
New Xerox Innovation Prints Hologram-Like Images, Makes Documents More Tamper-Proof
Brazil’s Interest to Explore for Oil in Cuban Sector of Gulf of Mexico Remains Strong
Help & How To: Sobig.E Worm
Help & How To: Sobig.E Worm
New worm gives us yet another reason not to open attached e-mail files.

The latest in a family of Sobig worms is loose on the Internet.

Sobig.e (w32.sobig.e@mm) arrives by e-mail with an attached file and also spreads using shared network files. Unlike previous variations of Sobig, this one uses subject headings borrowed from Sobig.c and only one attached filename, making it somewhat easier to recognize. Sobig.e affects only Windows users.

Once executed, however, Sobig.e will attempt to send copies of itself via its own SMTP engine. It will also attempt to download Trojan horse files from a website. Sobig.e is self-terminating and will spread only until July 14, 2003. Because Sobig.e spreads via e-mail and network share and may steal personal information such as passwords, this worm rates a 6 on the ZDNet Virus Meter.

How It Works

Sobig.e arrives via e-mail or shared network file. The e-mail message appears to be from someone you might know, but the address is spoofed (forged e-mail header that makes it appear that the e-mail came from somewhere other than the actual source). For example, you may receive Sobig.e from al@companyxyz.com, and he has no idea his address is being used to send viruses. The subject line may include one of the following:

Application Ref. 456003
Your application
Re: Re: Document
Re: Re: Application ref. 003644
Re: Documents
Re: Screensaver
Re: Submitted (Ref: 003746)
Re: Movies
Re: Movie
Re: Application

The attached file is your_details.zip. Since ZIP files are ignored by most extension-blocking rules within e-mail clients, you should not attempt to open this file. Some copies of Sobig.e send from infected machines may produce attached files with only a .zi extension.

The body text for Sobig.e may also read, “Please see the attached file for details.”

This worm does not automatically execute. Therefore, you must open the attached file to become infected with Sobig.e. Upon execution, the worm adds the following files to the default Windows directory:

WinSSK32.EXE (Copy of the worm)
MSRRF.DAT (configuration file)

Upon execution, the worm will search for saved files with these extensions looking for e-mail addresses embedded within:

TXT
EML
HTML
HTM
DBX
WAB

Sobig.e may contain a list of NT servers and opens a port (port 123) to send packets to those servers.

Source: ZDNet


 [PRINTER FRIENDLY VERSION]
Published by Hybinette, Inc.
Copyright © 2003 Hybinette, Inc.. All rights reserved.
Copyright 2003 All Rights Reserved. 		TELL A FRIEND
Powered by iMakeNews.com