RE: CRIME SOBIG ADVISORY

From: alan (alan@private)
Date: Tue Aug 19 2003 - 10:05:07 PDT

  • Next message: Gavin Redshaw: "CRIME SOBIG virus making its rounds again?"

    On Tue, 19 Aug 2003, Kuo, Jimmy wrote:
    
    > Yes.  Another one.  :-(
    > 
    > I haven't had 10 free minutes to write to CRIME about this.  I actually
    > started one about 10AM, but my wireless cut out (someone around me has a
    > 2.4MHz phone, I'm sure).
    > 
    > We are just right now, raising our Risk Assessment to HIGH for Home Users on
    > this virus.  Corporate users have the ability to block .PIF and .SCR and
    > many have done so from the previous SoBigs.  But home users continue to
    > click on attachments.  :-(
    
    I am not certain which is worse.  The virus or all the anti-virus programs 
    spitting out warnings that it saw a virus.
    
    So far I have gotten HUNDREDS of anti-virus warnings sent to practically 
    every mailing list I am on.  It is actually out numbering the spam I get 
    at this point! (As well as the actual copies of the virus.  I might have 
    gotten one or two, but that is about it.)
    
    Sending out virus warnings to senders is really a bad idea unless varified 
    by a clued human.  Anything else is just plain annoying behaviour.
    
    > Here's our page:
    > 
    > http://vil.nai.com/vil/content/v_100561.htm
    > 
    > -----Original Message-----
    > From: Jim Wood
    > To: crime@private
    > Sent: 8/19/03 1:34 PM
    > Subject: CRIME SOBIG ADVISORY
    > 
    > 
    > FYI-
    > 
    > 
    > Network traffic is up due to the SOBIG worm today.  Numerous reports
    > from security sites, as well as network admins around the country are
    > reporting the attachment coming in as a .pif attachment to their email
    > clients.
    > 
    > The following information is from Symantec, just thought I would pass it
    > along in the interest of being pro-active in the shadow of the last
    > mess.
    > 
    > **********************************START
    > DOCUMENT****************************
    > 
    >  Symantec Security Response http://securityresponse.symantec.com 
    > W32.Sobig.F@mm   
    > Discovered on: August 19, 2003  
    > Last Updated on: August 19, 2003 09:24:02 AM 
    > 
    > Due to the number of submissions received from customers, Symantec
    > Security Response has upgraded this threat to a Category 3 from a
    > Category 2 threat. 
    > W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself
    > to all the email addresses that it finds in the files with the following
    > extensions:
    > 
    > 
    > .dbx 
    > .eml 
    > .hlp 
    > .htm 
    > .html 
    > .mht 
    > .wab 
    > .txt
    > 
    > The worm utilizes it's own SMTP engine to propagate and will attempt to
    > create a copy of itself on accessible network shares.
    > 
    > Email Routine Details
    > The email message has the following characteristics:
    > 
    > From: Spoofed address (which means that the sender in the "From" field
    > is most likely not the real sender). 
    > The worm may use the address admin@private as the sender.
    > 
    > Subject: 
    > Re: Details 
    > Re: Approved 
    > Re: Re: My details 
    > Re: Thank you! 
    > Re: That movie 
    > Re: Wicked screensaver 
    > Re: Your application 
    > Thank you! 
    > Your details
    > 
    > Body: 
    > See the attached file for details 
    > Please see the attached file for details.
    > 
    > Attachment: 
    > your_document.pif 
    > document_all.pif 
    > thank_you.pif 
    > your_details.pif 
    > details.pif 
    > document_9446.pif 
    > application.pif 
    > wicked_scr.scr 
    > movie0045.pif
    > 
    > NOTE: The worm deactivates on September 10, 2003. The last day on which
    > the worm will spread is September 9, 2003.
    > 
    > Also Known As:  Sobig.F [F-Secure], W32/Sobig.f@MM [McAfee], WORM
    > SOBIG.F [Trend] 
    >   
    > Type:  Worm 
    > Infection Length:  about 72,000 bytes 
    >   
    >   
    >   
    > Systems Affected:  Windows 2000, Windows 95, Windows 98, Windows Me,
    > Windows NT, Windows XP 
    > Systems Not Affected:  Linux, Macintosh, OS/2, UNIX, Windows 3.x 
    >   
    >   
    >   
    > 
    > 
    >  
    > Beta Virus Definitions
    >  August 18, 2003 
    >  
    >  
    > Virus Definitions (Intelligent Updater) *
    >  August 19, 2003 
    >  
    >  
    > Virus Definitions (LiveUpdate™) **
    >  August 19, 2003 
    >  
    >  
    > *
    >  Intelligent Updater definitions are released daily, but require manual
    > download and installation. Click here to download manually.
    >  
    > **
    >  LiveUpdate virus definitions are usually released every Wednesday.
    > Click here for instructions on using LiveUpdate.
    >  
    >  
    >  
    > 
    > 
    > 
    > 
    > Wild: 
    > 
    > Number of infections: 0 - 49 
    > Number of sites: 3 - 9 
    > Geographical distribution: Low 
    > Threat containment: Easy 
    > Removal: Easy 
    >  Threat Metrics
    >  
    >          
    > Wild:
    > Medium
    >  Damage:
    > Low
    >  Distribution:
    > Medium
    >  
    >  
    > 
    > 
    > 
    > When W32.Sobig.F@mm is executed, it performs the following actions:
    > 
    > 
    > Copies itself as %Windir%\winppr32.exe.
    > 
    > NOTE: %Windir% is a variable. The worm locates the Windows installation
    > folder (by default, this is C:\Windows or C:\Winnt) and copies itself to
    > that location.
    > 
    > 
    > Creates the file, %Windir%\winsst32.dat.
    > 
    > 
    > Adds the value:
    > 
    > "TrayX"="%Windir%\winppr32.exe /sinc"
    > 
    > to the registry key:
    > 
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > 
    > so the worm runs when you start Windows.
    > 
    > Attempts to copy itself to any network shares it has write access to.
    > The worm will utilize standard Windows API's to do this.
    > 
    > Sobig.F can download arbitrary files to an infected computer and execute
    > them. The author of the worm has used this functionality to steal
    > confidential system information and to set up spam relay servers on
    > infected computers. 
    > 
    > This functionality may also be used as a worm self-update feature. Under
    > the correct conditions, Sobig.F attempts to contact one of the list of
    > master servers, which the author of the worm controls. Then, the worm
    > retrieves a URL that it uses to determine where to get the Trojan file,
    > downloads the Trojan file to the local computer, and then executes it.
    > 
    > In Sobig.F, the conditions for this download attempt are: 
    > According to UTC time, the day of the week must be Monday or Friday. 
    > According to UTC time, the time of day must be between 7:00 P.M. and
    > 11:59:59 P.M.
    > 
    > Sobig.F obtains the UTC time through the NTP protocol, by contacting one
    > of several possible servers on port 123/udp (the NTP port).
    > 
    > The worm starts the download attempt by sending a probe to port 8998/udp
    > of the master server. Then, the server replies with a URL, where the
    > worm can download the file to execute.
    > 
    > Sobig.F also opens the following ports: 
    > 995/udp 
    > 996/udp 
    > 997/udp 
    > 998/udp 
    > 999/udp
    > 
    > and it listens for any incoming UDP datagrams on these ports. Incoming
    > datagrams are parsed, and upon receiving a datagram with the proper
    > signature, the master server list of the worm may be updated.
    > 
    > Network administrators should do the following: 
    > Block inbound traffic on ports 99x/udp. 
    > Block outbound traffic on port 8998/udp. 
    > Monitor NTP requests (port 123/udp), as these could be coming from
    > infected computers. (The frequency of such checks for an infected
    > computer should be once per hour.)
    > 
    > 
    > 
    > 
    > 
    > 
    > Symantec Security Response encourages all users and administrators to
    > adhere to the following basic security "best practices":
    > 
    > Turn off and remove unneeded services. By default, many operating
    > systems install auxiliary services that are not critical, such as an FTP
    > server, telnet, and a Web server. These services are avenues of attack.
    > If they are removed, blended threats have less avenues of attack and you
    > have fewer services to maintain through patch updates. 
    > If a blended threat exploits one or more network services, disable, or
    > block access to, those services until a patch is applied. 
    > Always keep your patch levels up-to-date, especially on computers that
    > host public services and are accessible through the firewall, such as
    > HTTP, FTP, mail, and DNS services. 
    > Enforce a password policy. Complex passwords make it difficult to crack
    > password files on compromised computers. This helps to prevent or limit
    > damage when a computer is compromised. 
    > Configure your email server to block or remove email that contains file
    > attachments that are commonly used to spread viruses, such as .vbs,
    > .bat, .exe, .pif and .scr files. 
    > Isolate infected computers quickly to prevent further compromising your
    > organization. Perform a forensic analysis and restore the computers
    > using trusted media. 
    > Train employees not to open attachments unless they are expecting them.
    > Also, do not execute software that is downloaded from the Internet
    > unless it has been scanned for viruses. Simply visiting a compromised
    > Web site can cause infection if certain browser vulnerabilities are not
    > patched. 
    > 
    > 
    > The following instructions pertain to all current and recent Symantec
    > antivirus products, including the Symantec AntiVirus and Norton
    > AntiVirus product lines.
    > 
    > NOTE: If you are on a network or have a full-time connection to the
    > Internet, disconnect the computer from the network and the Internet.
    > Remove this threat from all the computers on the network before
    > reconnecting to it. Disable or password-protect file sharing before
    > reconnecting the computers to the network or to the Internet. 
    > 
    > For instructions on how to do this, see your Windows documentation, or
    > the document, "How to configure shared Windows folders for maximum
    > network protection."
    > 
    > IMPORTANT: Do not skip this step. Disconnect from the network before
    > attempting to remove this worm.
    > 
    > 
    > Disable System Restore (Windows Me/XP). 
    > Update the virus definitions. 
    > Do one of the following: 
    > Windows 95/98/Me: Restart the computer in Safe mode. 
    > Windows NT/2000/XP: End the Trojan process.
    > Run a full system scan and delete all the files detected as
    > W32.Sobig.F@mm. 
    > Delete the values that were added to the registry.
    > 
    > For specific details on each of these steps, read the following
    > instructions.
    > 
    > 1. Disabling System Restore (Windows Me/XP)
    > If you are running Windows Me or Windows XP, we recommend that you
    > temporarily turn off System Restore. Windows Me/XP uses this feature,
    > which is enabled by default, to restore the files on your computer in
    > case they become damaged. If a virus, worm, or Trojan infects a
    > computer, System Restore may back up the virus, worm, or Trojan on the
    > computer.
    > 
    > Windows prevents outside programs, including antivirus programs, from
    > modifying System Restore. Therefore, antivirus programs or tools cannot
    > remove threats in the System Restore folder. As a result, System Restore
    > has the potential of restoring an infected file on your computer, even
    > after you have cleaned the infected files from all the other locations.
    > 
    > Also, a virus scan may detect a threat in the System Restore folder even
    > though you have removed the threat.
    > 
    > For instructions on how to turn off System Restore, read your Windows
    > documentation, or one of the following articles: 
    > "How to disable or enable Windows Me System Restore" 
    > "How to turn off or turn on Windows XP System Restore"
    > 
    > 2. Updating the virus definitions
    > Symantec Security Response fully tests all the virus definitions for
    > quality assurance before they are posted to our servers. There are two
    > ways to obtain the most recent virus definitions: 
    > Running LiveUpdate, which is the easiest way to obtain virus
    > definitions: These virus definitions are posted to the LiveUpdate
    > servers once each week (usually on Wednesdays), unless there is a major
    > virus outbreak. To determine whether definitions for this threat are
    > available by LiveUpdate, refer to the Virus Definitions (LiveUpdate). 
    > Downloading the definitions using the Intelligent Updater: The
    > Intelligent Updater virus definitions are posted on U.S. business days
    > (Monday through Friday). You should download the definitions from the
    > Symantec Security Response Web site and manually install them. To
    > determine whether definitions for this threat are available by the
    > Intelligent Updater, refer to the Virus Definitions (Intelligent
    > Updater).
    > 
    > The Intelligent Updater virus definitions are available: Read "How to
    > update virus definition files using the Intelligent Updater" for
    > detailed instructions.
    > 
    > 3. Restarting the computer in Safe mode or ending the Trojan process 
    > Windows 95/98/Me
    > Restart the computer in Safe mode. All the Windows 32-bit operating
    > systems, except for Windows NT, can be restarted in Safe mode. For
    > instructions, read the document, "How to start the computer in Safe
    > Mode."
    > 
    > Windows NT/2000/XP
    > To end the Trojan process: 
    > Press Ctrl+Alt+Delete once. 
    > Click Task Manager. 
    > Click the Processes tab. 
    > Double-click the Image Name column header to alphabetically sort the
    > processes. 
    > Scroll through the list and look for Winppr32.exe. 
    > If you find the file, click it, and then click End Process. 
    > Exit the Task Manager.
    > 
    > 4. Scanning for and deleting the infected files 
    > Start your Symantec antivirus program and make sure that it is
    > configured to scan all the files. 
    > For Norton AntiVirus consumer products: Read the document, "How to
    > configure Norton AntiVirus to scan all files." 
    > For Symantec AntiVirus Enterprise products: Read the document, "How to
    > verify that a Symantec Corporate antivirus product is set to scan all
    > files." Run a full system scan. 
    > If any files are detected as infected with W32.Sobig.F@mm, click Delete.
    > 
    > 
    > 5. Deleting the values from the registry
    > 
    > CAUTION: Symantec strongly recommends that you back up the registry
    > before making any changes to it. Incorrect changes to the registry can
    > result in permanent data loss or corrupted files. Modify the specified
    > keys only. Read the document, "How to make a backup of the Windows
    > registry," for instructions. 
    > 
    > Click Start, and then click Run. (The Run dialog box appears.) 
    > Type regedit 
    > 
    > Then click OK. (The Registry Editor opens.)
    > 
    > 
    > Navigate to the key:
    > 
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > 
    > 
    > In the right pane, delete the value:
    > 
    > "TrayX"="%Windir%\winppr32.exe /sinc"
    > 
    > 
    > Exit the Registry Editor.
    > 
    > 
    >  
    > 
    > 
    > Write-up by: Benjamin Nahorney and Atli Gudmundsson 
    > 
    > 
    > ********************END DOCUMENT********************************
    > 
    > Jim Wood
    > jwood@private
    > MW Technology Group Inc
    > DBA:  Zebra Computer Repair & Networking
    > 360-736-7000
    >  
    > 
    > 
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.509 / Virus Database: 306 - Release Date: 8/12/2003
    > 
    > Jim Wood
    > jwood@private
    > MW Technology Group Inc
    > DBA:  Zebra Computer Repair & Networking
    > 360-736-7000
    >  
    > 
    > 
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.509 / Virus Database: 306 - Release Date: 8/12/2003
    >  
    > 
    > 
    



    This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 19:38:08 PDT