Win32:Sobig-C

is a successor of the previous Win32:Sobig-B. While the B variant stopped to spread on 31st May 2003, the C variant popped in the very same day. Win32:Sobig-C comes as an attachement of the e-mail message. The subject of such message is one of the following items:
Approved
Re: 45443-343556
Re: Application
Re: Approved
Re: Movie
Re: Submited (004756-3463)
Re: Your application

The message body contains the text:
Please see the attached file.

The attachment has one of the following names:
45443.pif
application.pif
approved.pif
document.pif
documents.pif
movie.pif
screensaver.scr
submited.pif
_submited.pif

The sender's address is forged and it could be either one of the e-mails found on the infected computer or bill@microsoft.com

The worm copies itself into the Windows directory under the name mscvb32.exe and it adds the following key into the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\ Run\System MScvb

The worm will stop to spread on June the 8th 2003.

Win32:Sobig also attempts to download the trojan horse from the public websites. These website addresses are encrypted inside the virus body.

Removal:
To remove this virus please use our free avast! Virus Cleaner.

avast! with VPS file dated on or after 1st June 2003 is able to detect this worm.

Viruses
Viruses in the Wild Windows viruses Older windows viruses 2002 Older windows viruses 2001 Older windows viruses 2000 Script viruses Macro viruses Virus report form Virus report summary Eicar Test File VPS history
Subscription Services
VPS (iAVS) Subscr. service
avast! Virus Cleaner
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Home page
Viruses  windows viruses  Win32:Sobig-C