[cut-n-paste from sophos.com]

W32/Anacon-D

Type
Win32 executable file virus

Detection
At the time of writing Sophos has received no reports from users 
affected by this virus. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Anacon-D attempts to spread using email and may also infect 
executable files in the Windows System folder.

The virus arrives in an email with the following characteristics:
Subject line: Randomly chosen from -
Alert! New Variant W32/Naco.F{at}mm has been detected!
British Air Will Backcrupt
Crack for Nokie LogoManager 1.3
FoxNews Reporter: What
Free SMS Via NACO SMS!
Get Free SMTP Server at Click Here!
Get Your Free XXX Password!
Gotcha baby!
Help me plz!
Less And More
Microsoft Windows LongHorn XP
News: US Govermenvt try to make wars with Teheran.
Patch for Microsoft Windows XP 64bit
Re: are you married?(3)
Seagate Baracuda 80GB for $???
Small And Destructive!
TIPs: CODE FOR CRACKING EB SERVER
You r a chichy boy, you r a chicky girl
Your XXX Password: ud78sd8df

Message text: Randomly chosen from -
"Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~~ Anacon"

"Attention!
Please do not eat pork! The SARS virus may come from the pig. So 
becareful.
For more information check the attachment.
Regard, WTO"

"
(blank)
You may not see the message because the message has been convert to the
attachment. Please open an attachment to see the message."

"Hi babe, Still missing me! I have send to you a special gift I made it 
my own. Just for you. Check it out the attachment.
Your Love,
Rekcahlem"

"Great to see you again babe! This is file you want las week. Please 
don't
distribute it to other.
Regard,
V.C."

Attached file: csrss32.exe

When run, the virus displays the message
".: Anacon 6 Worm :.
THanX f0r SupPoRted:
Dincracker, Foot-Art, PakBrain, Fady911x, Anacon, Axam, Sh4m_Skru, 
AjeedNASA,
Incisibleman, Zied666 and all my frenz...".

W32/Anacon-D copies itself to the system folder as csrss32.exe and 
creates the following registry entries so that the virus is run on 
Windows startup:

\HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ALM
\HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Services

The virus will also copy itself into the Startup folder with randomly
generated names.

W32/Anacon-D has a backdoor component that allows a malicious user 
remote access to the computer when the virus is active. The virus 
attempts to send a notification email containing system information to 
a remote email address.

As a backdoor the virus inititates a port connection providing 
unauthorized access to the infected computer which allows an intruder 
to manipulate with the CDAudio door, CD-ROM, Clipboard, play media, 
drop a keylogger and download a file.

The virus may also attempt to terminate the following anti-virus 
programs and security related processes and delete all files from the 
corresponding program folders:

_Avp32.exe
_Avpcc.exe
_Avpm.exe
Ackwin32.exe
Anti-Trojan.exe
Apvxdwin.exe
Autodown.exe
Ave32.exe
Avgctrl.exe
Avkserv.exe
Avnt.exe
Avp.exe
Avp32.exe
Avpcc.exe
Avpdos32.exe
Avpm.exe
Avptc32.exe
Avpupd.exe
Avsched32.exe
Avwin95.exe
Avwupd32.exe
Blackd.exe
Blackice.exe
Cfiadmin.exe
Cfiaudit.exe
Cfinet.exe
Cfinet32.exe
Claw95.exe
Claw95cf.exe
Cleaner.exe
Cleaner3.exe
Dvp95.exe
Dvp95_0.exe
Ecengine.exe
Esafe.exe
Espwatch.exe
f-Agnt95.exe
Findviru.exe
Fprot.exe
f-Prot.exe
f-Prot95.exe
Fp-Win.exe
Frw.exe
f-Stopw.exe
Iamapp.exe
Iamserv.exe
Ibmasn.exe
Ibmavsp.exe
Icload95.exe
Icloadnt.exe
Icmon.exe
Icsupp95.exe
Icsuppnt.exe
Iface.exe
Iomon98.exe
Jedi.exe
Lookout.exe
Luall.exe
Moolive.exe
Mpftray.exe
N32scanw.exe
Navapw32.exe
Navlu32.exe
Navnt.exe
Navw32.exe
Navwnt.exe
Nisum.exe
Nmain.exe
Normist.exe
Nupgrade.exe
Nvc95.exe
Outpost.exe
Padmin.exe
Pavcl.exe
Pavsched.exe
Pavw.exe
Pccwin98.exe
Pcfwallicon.exe
Persfw.exe
Rav7win.exe
Regedit.exe
Rescue.exe
Safeweb.exe
Scan32.exe
Scan95.exe
Scanpm.exe
Scrscan.exe
Serv95.exe
Smc.exe
Sphinx.exe
Sweep95.exe
Tbscan.exe
Tca.exe
Tds2-98.exe
Vet95.exe
Vettray.exe
Vscan40.exe
Vsecomr.exe
Webscanx.exe
Wfindv32.exe
Zonealarm.exe




W32/Kifie-D

Aliases
WORM_KIRBO.A

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Kifie-D spreads via email, P2P, IRC, AIM and local drives. The worm 
copies itself to all local drives as kirbster.exe and to the Windows 
system folder as tasksystemdll.exe and cutekriby.scr.

W32/Kifie-D sets the following registry entry to point to 
tasksystemdll.exe:

HKCU\Control Panel\Desktop\Scrnsave.exe

In addition the worm drops the file %sysdir%\CuteKirby.Scr and 
registers it as the Desktop wallpaper.

W32/Kifie-D displays a message box with the text "There was a critical 
error in the application the video driver could not load. If you 
continue to experience problems try restarting your computer".

In order to be executed automatically on system startup the worm copies 
itself to the file \TaskSystemDll.Exe and sets the 
following registry entry to point to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinsysStartUpWKbLw

W32/Kifie-D attempts to copy itself to the KaZaA download folder as
Rage Against The Machine - Sleep Now In This Fire.Mp3.Exe and to the 
following locations:

\Program Files\Morpheus\My Shared Folder\
PennyWise - Land Of The Free.Mp3.Exe
\Program Files\BearShare\Shared\Therion - Nifelheim.Mp3.Exe
\Program Files\EDonkey2000\Incoming\Feeder - Under The Weather.Mp3.Exe
\My Downloads\ePs2e - PS2 Emulator.Exe
\Program Files\ICQ\Shared Files\WinIso - Iso Ripper.Exe
\Program Files\Grokster\My Grokster\AFI - 6 To 8.Mp3.Exe
\Program Files\AIM95\CutiePinkKirby.Scr.

W32/Kifie-D attempts to spread via the IRC network by overwriting the 
initialization file of an existing mIRC installation.

The worm may overwrite all EXE files in the Windows folder and create 
the file KirbyWins.mp3.

On Sundays the worm creates kirbyflood.vbs and kirbyflood.bat in the 
Windows folder. Kirbyflood.vbs creates message boxes in a loop 
containing the text "Are you ready? W32.Kirby.Fl00der By L0new0lf"; 
kirbyflood.bat runs the VBScript file and displays the message 
"l0new0lf strikes again W32.Kirby.Fl00der By L0new0lf".

Also on Sundays, W32/Kifie-D overwrites all TXT and DOC files in the 
Windows, Windows system and Windows system32 folders and attempts to 
delete various anti-virus related files.

The worm then creates and executes the file kirbymail.vbs that sends 
the worm as an email attachment to all entries in the Microsoft Outlook 
address book. The email will have the following characteristics:

Subject line: Fw: hello there
Message text: Hey, I just received a screen saver in the mail and it is 
really cute. Take a look





W32/Jeefo-A

Aliases
PE_JEEFO.A, W32/Jeefo, W32.Jeefo

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Jeefo-A may create the following registry entries upon execution,
so that it is run every time the computer restarts:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\PowerManager
= ""

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\PowerManager
= "C:\\SVCHOST.EXE"





W32/Backzat-K

Aliases
I-Worm.BatzBack.i, WORM_BACKZAT.A

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Backzat-K spreads via mIRC, AIM95 and the KaZaA file-sharing 
network.

Upon execution the worm copies itself as BatzBack.scr to the Windows 
and Windows System folders and sets the following registry entry with 
the path to the copy in the Windows folder:

HKLM\Software\Microsoft\Windows\Current Version\Run\BatzBack

To spread through the KaZaA file-sharing network and AIM95 the worm 
attempts to copy itself as EnimEmSpearsBritney.scr and BuddyShare.exe 
to the KaZaA shared folder and Program Files\AIM95 respectively.

To spread through IRC the worm modifies or creates script.ini so that 
Batzback.scr is sent to other users who join the current channel.






W32/Mapson-A

Aliases
I-Worm.Mapson, W32.Mapson.Worm

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Mapson-A is an email and P2P worm. When run the worm copies itself 
into the Windows system folder with the following filenames:

amigos.pif
amigototote.pif
amor-por-ti.pif
antiwinlogon.pif
antrox.scr
BigBrother.pif
bugmsn.pif
chistesgraficos.pif
chupamelo.pif
comotegustan.pif
CracksPPZ.pif
cristina-aguilera.pif
defaced-madonna-site.pif
eggbrother.exe
EICAX.COM
existeee.pif
financiamiento.pif
GEDZAC.PIF
grancarnal.exe
grande.pif
hackeahotmail.pif
historial.pif
hotmail.pif
kamasutra.pif
lacosha{at}hotmail.com
LatinCard.pif
linuxandmicrosoft.pif
Lorenaaaa.pif
Madonna_sEXY.pif
MariaVirgen.pif
Matrix-Trailer.pif
mujeres.pif
Musica.pif
No-Spam.exe
nuevovirus.txt .pif
Oradores.pif
osamabinhuevoback.exe
parejaideal.txt.pif
petardas.pif
porqueteamo.pif
projimo.pif
relacionsexual.pif
resetarios.pif
SARS.pif
seguridad_en_hotmail.pif
serhacker.pif
Shakira.pif
solo-a-ti.pif
Spamno.pif
teamo.exe
te-pido.scr
test-idiota.pif
testpasion.pif
thalialoca.pif
TutorialVBSvirus.pif
WindowsMediaPlayerBug.pif
www.mfernanda.com
www.vsantiviru.com
www.zonaviru.com
zorrotttas.pif

These filenames are also used as the email attachment filenames.

W32/Mapson-A collects email addresses from the MSN Messenger contact 
list and sends itself to these email addresses as an attachment. The 
attachment will have one of the filenames listed above.

The worm also copies itself into \Lorraine.exe 
and C:\Lorraine.vxd and sets the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Lorraine =
\Lorraine.exe

The worm displays the fake message "Error. Archivo Parcialmente 
Corrupto remplacelo por uno nuevo".

W32/Mapson-A copies itself into the following shared P2P folders:

\edonkey2000\incoming\
\gnucleus\downloads\
\icq\shared files\
\KaZaA\My Shared Folder\
\kazaa lite\my shared folders\
\limewire\shared\
\morpheus\my shared folder\
\Grokster\My Grokster\

The filename of the copied file is created as follows:
Filename format  .gif          .exe
(e.g. Nude Pic Britney Spears.gif          .exe)

with  taken from -
Desnuda en la playa
las pelotas de
Nude Pic
Sexo en la playa con
Sexy Beach
Sexy Bikini

and  from -
Alejandra Guzman
Angelica Vale
Brenda
Britney Spears
Cameron dias
Celine Dion
Francini
Galilea Montijo
Halle berry
Kylie Minogue
Laura Pausini
Lili Brillanti
Lorena
Paulina Rubio
Pink
Shakira
Thalia

or  .exe
(e.g. Kazaa Media Desktop KeyGen.exe)

where  is taken from -
Ad-aware
Adobe Acrobat Reader (32-bit)
AOL Instant Messenger (AIM)
Biromsoft WebCam
Copernic Agent
Delphi 6
Diet Kaza
DirectDVD
DivX Video Bundle
Download Accelerator Plus
FireWorks 4
FIreWorks MX
Global DiVX Player
Grokster
ICQ Lite
ICQ Pro 2003a beta
iMesh
JetAudio Basic
Kaspersky Antivirus
Kazaa Download Accelerator
Kazaa Media Desktop
Matrix Movie
McAfee Antivirus
Microsoft Internet Explorer
Microsoft Office XP
Microsoft Windows Media Player
Microsoft Windows 2003
Morpheus
msn hack
MSN Messenger (Windows NT/2000)
Nero Burning ROM
NetPumper
Network Cable e ADSL Speed
Norton Antivirus
Office 2003
Panda Antivirus
PerAntivirus
Pop-Up Stopper
QuickTime
RealOne Free Player
Registry Mechanic
SnagIt
SolSuite 2003: Solitaire Card Games Suite
Spybot - Search & Destroy
Trillian
Virtual Girl Sofia
Visual Studio Net
Winamp
WinMX
WinRAR
WinZip
WS_FTP LE (32-bit)
XoloX Ultra
ZoneAlarm

and  from -
crack all versions
Cracked
Full version
KeyGen

In July the worm displays 2 message boxes about the author and the 
worm. W32/Mapson-A also drops C:\lorraine.hta, and runs this file on 
the 4th of any month to display information about the worm.





Dial/PecDial-B

Type
Dialler

Detection
Sophos has received several reports of this virus from the wild.

Description
Dial/PecDial-B is a premium rate porn dialler which runs in the 
background as a service process.

The dialler may attempt to download a file from dialer.pecdialer.com.

Dial/PecDial-B creates a folder called windialup in the Windows system 
folder and within that creates the folder  containing 
the files .exe and launch.ini





W32/Mofei-A

Aliases
WORM_MOFEI.B

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Mofei-A is a worm which spreads via network shares and contains a 
backdoor Trojan which allows remote access and control over the 
computer.

When first run W32/Mofei-A copies itself to the Windows System32 folder 
as Scardsvr32.exe and drops the file Scardsvr32.dll to the System32 
folder. W32/Mofei-A may also drop the files MoFei.dat and MoFei.VER to
the System32 folder.

When W32/Mofei-A is run on Microsoft Windows 9x it creates the registry 
entry

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SCardDrv
= %WINDOWS%\SYSTEM32\Scardsvr32.exe -v

so that Scardsvr32.exe is run automatically each time Windows is 
started.

When W32/Mofei-A is run on Microsoft Windows NT, 2000 or XP, it 
replaces the "Smart Card Helper" service and configures this service to 
run automatically upon startup.





W32/Bugbear-B

Aliases
Bugbear.B, I-Worm.Tanatos.b

Type
Win32 executable file virus

Detection
Sophos has received many reports of this virus from the wild. 

Description
W32/Bugbear-B is a network-aware virus. W32/Bugbear-B spreads by 
sending emails containing attachments and by locating shared resources 
on your network to which it can copy itself.

The virus attempts to exploit a MIME and an IFRAME vulnerability in 
some versions of Microsoft Outlook, Microsoft Outlook Express, and 
Internet Explorer. These vulnerabilities allow an executable attachment 
to run automatically, even if you do not double-click on the attachment.
Microsoft has issued a patch which secures against these attacks. The 
patch can be downloaded from Microsoft Security Bulletin MS01-027. 
(This patch was released to fix a number of vulnerabilities in 
Microsoft's software, including the ones exploited by this virus.)

If the virus activates, several new files will appear on your computer. 
Their names consist of letters of the alphabet randomly chosen by the 
virus. You will find:

xxxx.EXE (usually 72192 bytes) in the Startup folder

and

zzzzzzz.DLL (usually 5632 bytes) in the System folder

The EXE file is an executable copy of the virus. The DLL is a keystroke 
logging tool which is used by the virus when it is activated.

The virus spreads itself via email. The emails can look like normal 
emails or they could have no body text and one of the following subject 
lines:

Hello!
update
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
fantastic
click on this!
Market Update Report
empty account
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
$150 FREE Bonus!
Your News Alert
Get 8 FREE issues - no risk!
Greets!

Attachments can have the same filename as another file on the victim's 
computer. The attachments have double extensions with the final 
extension being EXE, SCR or PIF.

Please note that the virus can spoof the From and Reply To fields in 
the emails it sends.

Additionally, W32/Bugbear-B will infect the following files in the 
Windows folder:

scandskw.exe
regedit.exe
mplayer.exe
hh.exe
notepad.exe
winhelp.exe

and the following files in the Program Files folder:

Internet Explorer\iexplore.exe
adobe\acrobat 5.0\reader\acrord32.exe
WinRAR\WinRAR.exe
Windows Media Player\mplayer2.exe
Real\RealPlayer\realplay.exe
Outlook Express\msimn.exe
Far\Far.exe
CuteFTP\cutftp32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
ACDSee32\ACDSee32.exe
MSN Messenger\msnmsgr.exe
WS_FTP\WS_FTP95.exe
QuickTime\QuickTimePlayer.exe
StreamCast\Morpheus\Morpheus.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe
Trillian\Trillian.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
AIM95\aim.exe
Winamp\winamp.exe
DAP\DAP.exe
ICQ\Icq.exe
kazaa\kazaa.exe
winzip\winzip32.exe

W32/Bugbear-B has a thread running in the background which attempts to 
terminate anti-virus and security programs with one of the following 
filenames:

ZONEALARM.EXE, WFINDV32.EXE, WEBSCANX.EXE, VSSTAT.EXE, VSHWIN32.EXE, 
VSECOMR.EXE, VSCAN40.EXE, VETTRAY.EXE, VET95.EXE, TDS2-NT.EXE, 
TDS2-98.EXE, TCA.EXE, TBSCAN.EXE, SWEEP95.EXE, SPHINX.EXE, SMC.EXE,
SERV95.EXE, SCRSCAN.EXE, SCANPM.EXE, SCAN95.EXE, SCAN32.EXE, 
SAFEWEB.EXE, RESCUE.EXE, RAV7WIN.EXE, RAV7.EXE, PERSFW.EXE, 
PCFWALLICON.EXE, PCCWIN98.EXE, PAVW.EXE, PAVSCHED.EXE, PAVCL.EXE, 
PADMIN.EXE, OUTPOST.EXE, NVC95.EXE, NUPGRADE.EXE, NORMIST.EXE, 
NMAIN.EXE, NISUM.EXE, NAVWNT.EXE, NAVW32.EXE, NAVNT.EXE, NAVLU32.EXE, 
NAVAPW32.EXE, N32SCANW.EXE, MPFTRAY.EXE, MOOLIVE.EXE, LUALL.EXE, 
LOOKOUT.EXE, LOCKDOWN2000.EXE, JEDI.EXE, IOMON98.EXE, IFACE.EXE, 
ICSUPPNT.EXE, ICSUPP95.EXE, ICMON.EXE, ICLOADNT.EXE, ICLOAD95.EXE, 
IBMAVSP.EXE, IBMASN.EXE, IAMSERV.EXE, IAMAPP.EXE, FRW.EXE, FPROT.EXE, 
FP-WIN.EXE, FINDVIRU.EXE, F-STOPW.EXE, F-PROT95.EXE, F-PROT.EXE, 
F-AGNT95.EXE, ESPWATCH.EXE, ESAFE.EXE, ECENGINE.EXE, DVP95_0.EXE, 
DVP95.EXE, CLEANER3.EXE, CLEANER.EXE, CLAW95CF.EXE, CLAW95.EXE, 
CFINET32.EXE, CFINET.EXE, CFIAUDIT.EXE, CFIADMIN.EXE, BLACKICE.EXE, 
BLACKD.EXE, AVWUPD32.EXE, AVWIN95.EXE, AVSCHED32.EXE, AVPUPD.EXE, 
AVPTC32.EXE, AVPM.EXE, AVPDOS32.EXE, AVPCC.EXE, AVP32.EXE, AVP.EXE, 
AVNT.EXE, AVKSERV.EXE, AVGCTRL.EXE, AVE32.EXE, AVCONSOL.EXE, 
AUTODOWN.EXE, APVXDWIN.EXE, ANTI-TROJAN.EXE, ACKWIN32.EXE, _AVPM.EXE, 
_AVPCC.EXE, _AVP32.EXE

The keylogging component of W32/Bugbear-B (the DLL) hooks the keyboard 
input so that it records keystrokes to memory.

W32/Bugbear-B opens port 1080 and listens for commands from a remote 
machine. Depending on the command issued the remote user may attempt 
the following on the victim's computer:

Retrieve cached passwords in an encrypted form
Download and execute a file
Find files
Delete files
Execute files
Copy files
Write to files
List processes
Terminate processes
Retrieve information such as username, type of processor, Windows 
version, Memory information (amount used, amount free, etc), Drive 
information (types of local drives available, amount of space available 
on these drives, etc). The remote user may also attempt to open port 80 
(HTTP) on the victim's computer, then connect to the backdoor web 
server (possibly an Apache 1.3.26-type web server) provided by 
W32/Bugbear-B and thus achieve a level of control over the infected 
computer.





Bat/Mumu-A

Aliases
Worm.Win32.Muma, BAT.Muma, Bat/Mumu.worm, BAT.Mumu.A.Worm, BAT_SPYBOT.A

Type
Batch file worm

Detection
Sophos has received several reports of this worm from the wild.

Description
Bat/Mumu-A is a worm which spreads by copying its constituent parts to 
IPC$ and ADMIN$ shares on remote computers which have weak passwords.

The worm is mainly composed of the following BAT files which it copies 
across to the shares:

10.BAT
HACK.BAT
IPC.BAT
MUMA.BAT
NEAR.BAT
RANDOM.BAT
REPLACE.BAT
START.BAT

The worm uses a file named hfind.exe, detected by Sophos Anti-Virus as 
Troj/Hacline-A, to scan potential victim IP addresses and copies this 
file along with IPCPASS.TXT. IPCPASS.TXT contains a list of passwords 
used by Troj/Hacline-A when attempting the copy.

In addition Bat/Mumu-A attempts to copy several non-malicious files 
along with it.

These include:

NWIZ.EXE (A video card utility called NView)
NWIZ.IN_ (A configuration file for NView)
PSEXEC.EXE (A networking utility)
REP.EXE (A string manipulation utility)
PCMSG.DLL (A legitimate utility associated with logging keystrokes)

Once the worm has copied all the files across to the shares it uses 
PSEXEC to run the file START.BAT on the remote computer. This starts 
the entire process again.





Troj/Tunnel-A

Aliases
Backdoor.Checkesp, AVF, Backdoor-AVF

Type
Trojan

Detection
At the time of writing Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Tunnel-A is a backdoor Trojan. When the Trojan is first executed a 
copy will be created in the system folder with the filename sys64.exe 
and the following registry entry will be created so that the Trojan is
run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\tunelling = sys64.exe

Troj/Tunnel-A begins by connecting to a site run by the attacker to 
inform them that the computer has been compromised. The Trojan will 
then listen for commands from the attacker.

The Trojan also listens on port 80, the default HTTP port, and 
redirects network traffic on that port to the attacker.





W32/Sobig-C

Aliases
I-Worm.Sobig.c, W95/Sobig.C{at}mm, Win32/Sobig.C

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Sobig-C is an internet worm which spreads by copying itself to the 
startup folder of network shares and by emailing itself to addresses 
found within locally stored files that have an extension of TXT, EML, 
HTML, HTM or DBX.

The emails sent have the following characteristics.
Subject line: chosen from -
Re: Movie
Re: Submitted (004756-3463)
Re: 45443-343556
Re: Approved
Re: Your application
Re: Application

Message text:
Please see the attached file

Attached file: one of -
45443.pif
application.pif
approved.pif
document.pif
documents.pif
movie.pif
screensaver.scr
submitted.pif

The worm spoofs the From: field using email addresses found within 
files on the hard drive or "bill{at}microsoft.com".

W32/Sobig-C will not spread if the date is June 8th 2003 or later.

When run, the worm copies itself to the Windows folder as mscvb32.exe 
and creates the following registry entries so that mscvb32.exe is run 
automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System MScvb
= %WINDOWS%\mscvb32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System MScvb
= %WINDOWS%\mscvb32.exe

W32/Sobig-C enumerates network shares and copies itself to the 
following startup folders if they are shared with write access:

Windows\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup

The worm also creates the file msddr.dat in the Windows folder.

 
--- MultiMail/Win32 v0.43