The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

 

 

We Build the Best & Repair the Rest! ©

 
FAQ Search Virus Alerts Hardware Faqs
 

Home
March 2004
August 2004
November 2004
October 2004
April 2004
July 2004
Virus Alert Calendars
May 2004
September 2004
June 2004
January 2004
February 2004
Alerts 2003
Alerts Jan 2004
Alerts Feb 2004
Alerts March 2004
Alerts April 2004
Alerts Top 10 May 2004
Alerts Top10 June 2004
Alerts Top 10 July 2004
Alerts August 2004
Alerts September 2004
Alerts Oct 2004
Alerts November 2004
Alerts December 2004

 

 

April 2003 Alerts 2002 Alert Jan 2003 Alert February 2003 Alerts March 2003 Alerts April 2003 Alerts May 2003 Alerts June 2003 Alerts July 2003 Alerts August 2003 Alerts September 2003 Alerts October 2003 Alerts November 2003 Alerts December 2003

 

 

 

Top 10 malware reported to Sophos in May 2003

Position Last
month		 Malware Percentage of reports
1 New W32/Sobig-B
   19.9%
2 New W32/Fizzer-A
   9.8%
3 1 W32/Klez-H
   7.1%
4 2 W32/Lovgate-E
   4.2%
5 4 W32/Sobig-A
   3.1%
6 5= W32/ElKern-C
   2.4%
7 3 W32/Bugbear-A
   1.9%
8 New W32/Yaha-P
   1.6%
9 Re-entry W32/Nimda-D
   1.4%
10 Re-entry W32/Opaserv-G
   1.1%
Others 47.5%

 

This section helps you to understand how it behaves
W32/Sobig-B is a worm which spreads by email and also attempts to copy itself to network shares.

The worm appears to arrive as a .PIF attachment from support@microsoft.com.

Emails containing W32/Sobig-B have the following characteristics, in which a fixed message body:

Message text: All information is in the attached file

is combined with one of the following subject lines and attached filenames:

Subject lines:
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Screensaver
Re: My details
Cool screensaver
Re: Movie
Re: My application

Attached filenames:
your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif

W32/Sobig-B copies itself into your Windows folder under the name msccn32.exe and then sets the registry values:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Tray
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System Tray

so that it runs every time you log on to your computer.

W32/Sobig-B searches for email addresses in numerous locations on your hard disk, including WAB(Windows Address Book), DBX, HTM, HTML, EML and TXT files. The worm then sends itself to these addresses. You do not need to have Outlook or Outlook Express installed for W32/Sobig-B to work - it is programmed with its own mail-sending code.

W32/Sobig-B also enumerates network shares and attempts to copy itself to the following folders on the share:

Document and Settings\All Users\Start Menu\Programs\Startup
and
Windows\All Users\Start Menu\Programs\Startup

so that the worm runs when the remote system is restarted.

Sophos recommends that users of its MailMonitor for SMTP product block all executable attachments at their mail server via its threat reduction technology. The risks associated with email-borne executables are huge, yet there is little or no business case for allowing program files to be sent and received by email.

Note: Microsoft does not distribute executable files by email, so the emails generated by this worm are obviously bogus.

Recovery
Summary Description Recovery
This section tells you how to remove the threat.
Read instructions on how to remove the W32/Sobig-B worm.

 

 

 

Our VIRUS Alert Post for May 2003

          Here you will find recent virus alerts...

Descriptions for Newly Discovered Threats (Includes Viruses, Trojans and Hoaxes)
Name Date Discovered Home Risk Corporate Risk

Included In DAT
W32/Sobig.c@MM 05/31/2003 Medium Medium 4268
JS/Fortnight.c@M 05/29/2003 Low Low 4269
W32/Auric@MM 05/29/2003 Low Low 4269
W32/Holar.h@MM 05/28/2003 Low Low 4267
Adware-Ezula application 05/27/2003 N/A N/A 4267
W32/Naco.b@mm 05/27/2003 Low Low 4268
QDial6 05/26/2003 Low Low 4268
Adware-SSF application 05/23/2003 N/A N/A 4267
JS/StartPage.dr 05/22/2003 Low Low 4267
Crack-DTNetscan 05/22/2003 N/A N/A 4267
W32/Duksten.o@MM 05/22/2003 Low Low 4267
CPUhog application 05/20/2003 Low Low 4267
IRC/Flood.cd 05/19/2003 Low Low 4267
W32/Tarit.worm 05/19/2003 Low Low 4267
W32/Naco.a@MM 05/19/2003 Low Low 4267
W32/Gant.b@MM 05/18/2003 Low Low 4266
W32/Sobig.b@MM 05/18/2003 Medium Medium 4265
W32/Melare@MM 05/17/2003 Low Low 4266
W32/Lovgate.l@M 05/14/2003 Low Low 4266
W32/Lovgate.j@M 05/12/2003 Low Low 4254
W32/Lovgate.k@M 05/12/2003 Low Low 4264
W32/Fizzer@MM 05/08/2003 Medium Medium 4263
W32/Kickin@MM 05/07/2003 Low Low 4262
PWS-Yipper 05/06/2003 Low Low 4262
KeyLog-KeyRecord application 05/05/2003 N/A N/A 4264
PWS-Watsn 05/04/2003 Low Low 4264
PWCrack-Xavior 05/02/2003 N/A N/A 4264
IRC-Vup 05/01/2003 Low Low 4262

 

This web is optimized for 800 x 600 monitor resolution or above and the latest web browser.  Get the latest IE or Netscape web browser. (you need to connect to the internet first)

 

 

  

 

 Copyright © 1998 The Computer Guys
 Back Home Up Next