While running a scan the following virus was found: win32sobig
LINK: http://www.avast.com/eng/win32sobigb.html
I did what what “recommended” by avast and “deleted it”. Looking at parts of the worm description I have questions regarding this finding, but I realize maybe no one would have the answers but I thought I’d give it a try.
After reading about it on the Avast web page description of the virus I still don’t know what damage it does. As far as I can see it is “a mass-mailing worm that sends itself to all e-mail addresses it finds in files with the following extensions: wab, dbx, htm, html, eml and txt.”
What I can conclude from this is that if I have files with these extensions and there happens to be an email address in any of those files then it “sends itself” to these files. Does this mean that it writes into those files the “executable program” (see below). If so then what is the impact of this on my computer ?
“The attachment is an executable program about 50 KB long and it has a pif extension.”
Win32:Sobig-B copies itself into the Windows folder under the name msccn32.exe and then sets the following registry values:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System Tray
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Tray so that it is executed every time you log on to your computer.
So exactly what is the impact of this on my computer other than placing the “executable” file into the Windows folder and setting registry keys ?
What is a “pif” file extension and what does it do ? Is a “pif” file another type of file extent that is an “executable file” like “.exe” file extents ? If so what is the difference ?
Noting that "it is executed every time you log on… ", what is meant by “log on to your computer” ? Does this mean Boot Up ? I don’t really "log onto my WIN98SE computer. Also I presume the “msccn32.exe” is what is being executed, what exactly is being done when this is executed ?
The worm deactivates itself on 31st May 2003.
The above would presume that the worn is no longer active after May 31st 2003. If this is the case then I would presume it has no impact on my computer after that date, right ? Also why would a worm have a “deactivation date” in the first place ?
It would appear that this virus has been on my computer for years considering the “deactivation” date of May 2003, is this correct ?
If so, the bottom line, what has it been doing all of this time (before it presumably “deactivated” itself ?
Is the Avast recommendation to “delete” the virus the correct choice? Under what circumstances would you make an alternative choice like sending it the the “virus chest” or “renaming the file” etc. ? Would Avast tell me to do this alternative choice if that was what is best ?
avast! with VPS file dated on or after 19th May 2003 is able to detect this worm
The above statement by Avast would mean that the worm was only active from May 19th 2003 to May 31st 2003, when it “deactivated” itself, right ?
Thanks in advance for any info