Virus found, what is it ?

While running a scan the following virus was found: win32sobig

LINK: http://www.avast.com/eng/win32sobigb.html

I did what what “recommended” by avast and “deleted it”. Looking at parts of the worm description I have questions regarding this finding, but I realize maybe no one would have the answers but I thought I’d give it a try. :slight_smile:

After reading about it on the Avast web page description of the virus I still don’t know what damage it does. As far as I can see it is “a mass-mailing worm that sends itself to all e-mail addresses it finds in files with the following extensions: wab, dbx, htm, html, eml and txt.”

What I can conclude from this is that if I have files with these extensions and there happens to be an email address in any of those files then it “sends itself” to these files. Does this mean that it writes into those files the “executable program” (see below). If so then what is the impact of this on my computer ?

“The attachment is an executable program about 50 KB long and it has a pif extension.”

Win32:Sobig-B copies itself into the Windows folder under the name msccn32.exe and then sets the following registry values:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System Tray
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Tray so that it is executed every time you log on to your computer.

So exactly what is the impact of this on my computer other than placing the “executable” file into the Windows folder and setting registry keys ?

What is a “pif” file extension and what does it do ? Is a “pif” file another type of file extent that is an “executable file” like “.exe” file extents ? If so what is the difference ?

Noting that "it is executed every time you log on… ", what is meant by “log on to your computer” ? Does this mean Boot Up ? I don’t really "log onto my WIN98SE computer. Also I presume the “msccn32.exe” is what is being executed, what exactly is being done when this is executed ?

The worm deactivates itself on 31st May 2003.

The above would presume that the worn is no longer active after May 31st 2003. If this is the case then I would presume it has no impact on my computer after that date, right ? Also why would a worm have a “deactivation date” in the first place ?

It would appear that this virus has been on my computer for years considering the “deactivation” date of May 2003, is this correct ?

If so, the bottom line, what has it been doing all of this time (before it presumably “deactivated” itself ?

Is the Avast recommendation to “delete” the virus the correct choice? Under what circumstances would you make an alternative choice like sending it the the “virus chest” or “renaming the file” etc. ? Would Avast tell me to do this alternative choice if that was what is best ?

avast! with VPS file dated on or after 19th May 2003 is able to detect this worm

The above statement by Avast would mean that the worm was only active from May 19th 2003 to May 31st 2003, when it “deactivated” itself, right ?

Thanks in advance for any info :slight_smile:

No, the virus is sent, or sends itself, to all e-mail addresses it finds in files with that extensions.
So the virus is sent by email and does not infect that files themselves.
Does this explain or other questions or they are still valid? Please, if you ask step by step or number your question will be easy to us to follow your mind…

Tech wrote:

Please, if you ask step by step or number your question will be easy to us to follow your mind...

Thanks, Tech for the suggestion. Good point, I’ll try and make it easier and catalogue my questions (if more context is needed then please refer to my original message).

1) Apparently it is the executable (code) program that is “attached”, “added” or “written into” the documents that have certain specific “extension” names (wab, dbx, htm, html, eml and txt) as described. Is this TRUE ?

2) The Win32:Sobig-B copies itself into the Windows folder under the name msccn32.exe and then sets the following registry values:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System Tray
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Tray so that it is executed every time you log on to your computer.

I don’t really Log on or off my computer in WIN98SE, in my case would it be executed at BOOT UP ?

3) Since executable programs (code) is typically created to do some kind of action beyond simply residing in the file. What exactly does this executable (code) program I presume to be “mscon32.exe” actually do when it is being executed ?

4) As described “The worm deactivates itself on 31st May 2003.” Presumably the worm has not been active after May 31st 2003. If this is the case then I can conclude it has no impact on my computer after that date, right ?

5) Also why would a worm have a “deactivation date” in the first place ?

6) It would appear that this virus has been on my computer for years considering the “deactivation” date of May 2003, is this correct ?

7) If so, then I have to presume that Norton 2004 AV didn’t scan the location to have found this worm since I would presume that it is a well known virus, is this True ?

8 ) When Avast recommends to “delete” a virus (as in this case) is the always the BEST CHOICE ?

9) Under what circumstances would you make an alternative choice like sending it the the “virus chest” or “renaming the file” etc. ?

10) Would Avast tell me to do this alternative choice if that was what is best ?

11) Avast states the following: “avast! with VPS file dated on or after 19th May 2003 is able to detect this worm” The above statement by Avast would mean that the worm was only active from May 19th 2003 to May 31st 2003, when it “deactivated” itself, is this correct ?

12) It seems odd to me to have a only a 12 day window “activity window” for a “virus”. Considering that the “worm” was only “active” a very short time is it true that the original intent of the “executable code” was at the very worse benign but that since it could be easily modified for the purpose of malicious intent it is considered a threat and thus the designation “worm” virus ?

13) Considering I don’t appear to have problems with my PC, what kind of malicious damage could this code have or might have done to a PC ?

Thanks in advance for any info :slight_smile:

I think not… but I’m not an expert on this. I rather doubt that txt and html will make any difference, for instance.

Yes.

Google could give you more deep info about the virus. I myself don’t know.

No. I won’t be so sure. It could be active then and after. If you Google, maybe the behavior of the virus will be explained.

Who does tell you it have? ::slight_smile:
Maybe it’s working after that date…

Maybe… it the virus is really deactivated, could be.

Yes, if you did not add this file to the Norton exclusion list, it should be detected or, like you’ve presumed, it was deactivated and is unharmfull.

If avast recommends this… But I thought the recommended action is send the file to Chest for further analysis, possible restoring, etc.

Chest is always recommended.
Although, sometimes it’s not available or possible. Boot time is one of this occasions, you will only allowed to rename, move, etc.
Chest is not active at that time (no necessary drivers are loaded).

I think it recommends Chest all the times. I could be wrong. If I remember when I translated the software, Chest is this option.

No. VPS date (May 19th) is when the file start to be detected, not the first day it could be active.
Generally, the date of detection is very close to the day of the virus release.

I’m not able to make all this assumptions… if, if, if… :slight_smile:

Do you ask God? ;D
You’re becoming paranoid 8)
Take a breath. Take it easy. Enjoy avast! 8)