This section helps you to understand how it behaves
W32/Sobig-A is a worm that uses a built-in SMTP client and local Windows
network shares to spread.
W32/Sobig-A arrives in an email with the following characteristics:
From: big@boss.com
Subject line -chosen from:
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample
Attached file - chosen from:
Document003.pif
Sample.pif
Untitled1.pif
Movie_0074.mpeg.pif
The worm searches the local hard drive for files with the extensions TXT,
HTML, EML, HTM, WAB and DBX. The files are used to extract a list of
recipient email addresses that will be used by the worm to send infected
emails.
When the attachment is run, W32/Sobig-A copies itself into the Windows
folder as Winmgm32.exe and creates a new process by running the file.
W32/Sobig-A creates the following registry values to run itself on Windows
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM
The worm connects to a website and attempts to download the file reteral.txt
which contains a URL to another file. W32/Sobig-A then attempts to download
and run the referenced file.
The worm also attempts to copy itself onto Windows shares of the local
network if the folders Windows\All Users\Start Menu\Programs\StartUp or
Documents and Settings\All Users\Start Menu\Programs\Startup exist in a
shared folder.
