TREND MICRO warnt vor neuem Wurm mit hohem Schadpotenzial: WORM_SOBIG.F
Die TrendLabs von TREND MICRO warnen erneut vor einem Wurm, der bisher in Europa
noch geringe Verbreitung aufweist, aber über ein hohes Schadens- und Verbreitungspotenzial
verfügt. Betroffen sind die Systeme Windows 95, 98, ME, NT, 2000, und XP.
TREND MICRO erkennt den Computerwurm ab Pattern-Datei 617.
WORM_SOBIG.F verbreitet sich als Dateianhang von Massen-E-Mails über eine
eigene SMTP-Engine. Er extrahiert die Empfänger-Adressen für sein
Massen-Mailing aus Dateien mit den Dateierweiterungen *.DBX, *.HLP, *.MHT, *.WAB
und *.HTML.
Die Betreffzeile variiert unter folgenden Nachrichten:
Re: Thank you!
Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Der Mailkörper beinhaltet wahlweise eine der folgenden Textnachrichten:
See the attached file for details.
Please see the attached file for details.
Das Attachment weist eine der folgenden Bezeichnungen auf:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
Re: Thank you!
Weitere Informationen zum Virus lesen Sie bitte in der englischen Originalpresseinformation
von TREND MICRO:
Date: 19th August 2003
TREND MICRO Warns Computer Users of WORM_SOBIG.F, a New Variant of the Mass
Mailing Worm SOBIG
Malware Name: WORM_SOBIG.F
Aliases: Win32.HLLM.Reteras
Overall Risk Rating: Medium
Damage Potential: High
Distribution Potential: High
TREND MICRO customers should download pattern file #618 at www.trendmicro.com/download/pattern.asp.
TREND MICRO Control ManagerÔ Outbreak Prevention Policy #48, and TREND
MICRO System Cleaner # 162 ver 03 will be available shortly. Non TREND MICRO
customers should scan their IT systems with TREND MICRO’s free online
scanner, Housecall, which can be found at http://housecall.trendmicro.com/.
This worm propagates by mass-mailing copies of itself using its own Simple Mail
Transfer Protocol (SMTP) engine. It collects email addresses from files with
the
following extensions:
DBX
HLP
MHT
WAB
HTML
The email message it sends out contains the following details:
Subject:
Re: Thank you!
Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Message body:
See the attached file for details.
Please see the attached file for details.
Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
Re: Thank you!
It runs on Windows 95, 98, ME, NT, 2000, and XP systems.
Upon execution, this worm drops a copy of itself in the Windows folder as
winppr32.exe:
%Windows%winppr32.exe
(Note: %Windows% is your Windows folder which by default is C:Windows for
Windows 9x, ME, and XP or C:Winnt for Windows NT, and 2000 systems)
It also drops a non–malicious text file, winstt32.dat, in the Windows
folder:
%Windows%winstt32.dat
To ensure that it is automatically executed at every Windows startup, it adds
the following registry entries:
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionRun
TrayX = "%Windows%winppr32.exe /sinc"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRun
TrayX = "%Windows%winppr32.exe /sinc"
