WINMGM32.exe

Existence of the file WINMGM32.EXE in the Windows directory, file size 65,536 bytes, Indicates infection of the Sobig Virus worm. This usually comes to you from Big Boss, big@boss.com.

McAfee anti-virus will remove and protect you from the Sobig Virus.

Aliases:
I-Worm.Sobig (AVP), W32.Sobig.A@mm (Symantec), W32/Sobig (Panda), W32/Sobig-A (Sophos), Win32.Sobig (CA), WORM_SOBIG.A (Trend)

The worm may arrive to you in this from:

big@boss.com
Subject: One of the following:
* Re: Movies
* Re: Sample
* Re: Document
* Re: Here is that sample

Sobig email contains the an attachment: 65,536 bytes with one of the following filenames:

* Movie_0074.mpeg.pif
* Document003.pif
* Untitled1.pif
* Sample.pif

When run the worm installs itself into the Windows directory as WINMGM32.EXE.

Two registry hooks are added to hook system startup, for example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM" = C:\WINDOWS\winmgm32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM" = C:\WINDOWS\winmgm32.exe

Email addresses harvested from the local machine are written to the file (confirmed via field reports, not observed in testing):
%WinDir%\SNTMLS.DAT

The worm retrieves a text file from a Geocities user page(http://www.geocities.com/reteras).

At the time of writing, this file contained a single URL:
http://www.doesnotexist.com/blah.txt

If retrieved successfully, this URL is written to the file %WinDir%\DWN.DAT.
Since analysis started, the URL has been updated, and references a remote PE file which the worm subsequently attempts to download. This file is detected as BackDoor-AOT with the 4242 DATs.
The worm contains the string:
Worm.X

...Where nothing can possibli go wrong!

Top Virus Threats

Top Anti Virus










Books, Software

Recommends
Get your link below

Silver and Glass	Thailand Travel
Custom Beading

Email Us | Site Map