Sobig

The Sobig worm is considered one of the most destructive worms of its time, with an reported total of $37.1 Billion in damage. It has also set records in spreading ability, including the number of emails sent with itself attached. The worm appeared only a little more than two weeks before Slammer.

= Behavior = Sobig arrives in an email with the sender address "big@boss.com". There are four possible subjects:


 * Re: Movies
 * Re: Sample
 * Re: Document
 * Re: Here is that sample

And four possible attachment names:


 * Movie_0074.mpeg.pif
 * Document003.pif
 * Untitled1.pif
 * Sample.pif

When Sobig is executed, it copies itself to the windows folder as Winmgm32.exe. It creates a mutex named Worm.X to make sure there is no copy of Sobig running on that system. Due to a bug in the creation of the mutex, it is possible to run more than one copy of the worm on a single system. The worm adds the value "WindowsMGM = (windows folder)\Winmgm32.exe" to the current user and local machine registry key that will cause the worm to start whenever the system is booted.

The worm sends a message to the address 0@pagers.icq.com. The subject of the message is "Notify" and the only text is "Hello". This is likely an attempt by the creator to count worm infections.

It downloads the file reteral.txt from http://www.geocities.com/reteras to the Windows folder as dwn.dat. This file contains a URL written by the person/people who have access to the content of this site. Sometimes the URL is completely bogus to throw off anyone who would have them shutdown, but it may at some points be http://www.loricoshop.com/users/serak/txtfile.txt, the actual URL of a trojan named Lala or Zasil. Txtfile.txt is downloaded as mptask.exe.

Sobig searches for open network shares and copies itself to the root of drives C:, D: and E:, and the startup folder of any machine it finds on the local network. Whenever a user logs on to these systems, they will be infected.

It searches all non-removable drives from A: to Z:, with a 3-second delay between each drive, for files on with the following extensions to harvest email addresses:


 * .dbx
 * .eml
 * .html
 * .htm
 * .txt
 * .wab

It saves the addresses to the file sntmls.dat, which it creates in the Windows directory. Sobig has its own SMTP engine to mail itself. It keeps a list of emails that it has already sent an email to in the file smtmls.ini, in the Windows directory.

Every two hours, the worm checks the site that it downloaded dwn.dat from for updates and installs them.

Trojan
The Lala trojan sends an HTTP notification to a CGI script on http://www.banking-concern.com/cgi-bin/index7.cgi. Different versions of the trojan may use a different number after "index". Some versions install a keylogger, while some later versions install a trojan, the Lithium Remote Access trojan, which will give anyone with the Lithium remote client full access to the infected system.

It then downloads the file g5aa.txt from the same "loricoshop" site that the worm downloaded the original trojan from, and it saves this file as g5aa.exe in the Windows folder. This is actually an installer for the Wingate Proxy Server, which is actually legitimate software, though it is used in violation of its licensing terms. It opens the following ports and starts the following services on them:


 * Port 555 - RTSP Streaming Media Proxy
 * Port 608 - Remote Control Service
 * Port 1180 - SOCKS Proxy server
 * Port 1181 - Telnet Proxy server
 * Port 1182 - WWW Proxy server
 * Port 1183 - FTP Proxy server
 * Port 1184 - POP3 Proxy server
 * Port 1185 - SMTP Server

The trojan can essentially turn an infected machine into a spamming zombie.

= Variants = While the original Sobig and its first few variants were very prolific, none made the huge impact that Sobig.F made. Sobig.B was at first believed to be a completely original worm and was named Palyh and Mankx. Many of the variants up until Sobig.F were low to moderate risks, and so similar (in addition, 2003 was the height of the mass-mailer worm, as there was a new worm family or variant almost every day), that one writer on computer security called them "tedious" and "annoying".

All Sobig worms after the original had "expiration dates", when the worm stops looking for new machines to infect. They continues looking for their updates even after the expiration dates. Some have been reported to not expire when they are supposed to. This may be because many home computers had their CMOS clocks incorrectly set, because of a dead or improperly replaced

Sobig.E
This variant is the only one to send its attachment in the .zip format. The worm contains the Zlib Deflate library to compress its files (probably accounting for the fact that Sober.E uncompressed is the largest version of Sobig, weighing in at 86.528 bytes). There are 5 possible names for the attachment file (its content in parentheses):


 * Your_details.zip (Details.pif)
 * Application.zip (Application.pif)
 * Document.zip (Document.pif)
 * Screensaver.zip (Sky.world.scr)
 * Movie.zip (Movie.pif)

Microsoft released a patch for Outlook that allowed users to block emails with certain file types, but the .zip format was not on it at the time.

Sobig.F
While all previous versions of Sobig had hard-coded sender lines, Sobig.F used the technique of "spoofing", where it would use a random email address found on the infected computer. This increases the likelihood that someone receiving the worm will be familiar with the alleged sender, and that a recipient is counting on a worm having known sender lines like big@boss.com.

Sobig.F spread faster than any other email worm of its time, in spite of the fact that a bug in its code prevented its local network spreading. In attempting to spread over networks, the worm makes a list of the first 1,000 files it finds on the current machine. It will randomly take the name of one of the files and adds the .exe extension. Unfortunately for the worm, its code for spreading across networks ends there. The creator released the worm before coding the portion that copies the worm across the network.

Sobig.F also adds .mht and .hlp files to the list of file types it will look for email addresses in.

= Effects = Computers at the BBC became infected with the worm, only weeks after being infected with a variant of the ExploreZip worm. From there, the worm was sent to the mailing list for fans of the "Archers", a popular, long-running radio drama. The storyline at the time ironically had one of the Archers characters teaching another how to use email.

Sobig.F was the most prolific worm of its time and held records for the number of emails sent, along with a few others. The email filtering company MessageLabs claims to have stopped over 1,000,000 copies on the first day of the outbreak and 32,432,730 copies of the worm from the time of its release until about December 10. It accounted for 1 in every 17 emails stopped by the company at its height and two thirds of the world's spam came from Sobig's trojan.

The group mi2g claimed that the worm caused $37.1 billion in total damages (they are often criticised for their high estimates). This was their highest estimate until Mydoom was alleged to have caused $38.5 billion in damage.

In England, a man claims to have received 115 Sobig.f emails in 12 hours and one every six minutes.

= Creator = The creator of Sobig is as of this writing unknown. Microsoft offered $250,000 of its $5,000,000 Anti-Virus Reward Program for information leading to the capture and conviction of the worm's creator. Some researchers of the worm point out similarities to a spamming program named Send-Safe, developed by Ruslan Ibragimov, a resident of Moscow, Russia, as an indication that Ibragimov and possibly a team of developers created the worm. Ibragimov denied this and pointed out a number of flaws in the theory. In addition, he said that since the Sobig worm's appearance, he had lost a significant number of customers.

= Name = The first Sobig worm was named Sobig by nearly all antivirus companies, with the exception of Doctor Web, which referred to it as Reteras, the name of the page it downloads the URL for the spamming trojan. Sobig.B was named Palyh or Mankx before it was realised that this was a variant of Sobig.

Antivirus Aliases

 * Avast: Win32:Sobig
 * Avira: Worm/Sobig.A
 * BitDefender: Win32.Sobig.A@mm
 * CA: Win32.Sobig
 * Doctor Web: Win32.HLLM.Reteras
 * F-Prot: W32/Sobig.A@mm
 * McAfee: W32/Sobig@MM
 * Kaspersky: Email-Worm.Win32.Sobig.a or I-Worm.Sobig.a
 * Sophos: W32/Sobig-A
 * Symantec: W32.Sobig.A@mm
 * Trend Micro: WORM_Sobig.A

= Other Facts = Sobig was the first of the spam botnet worms. While some worms, like Tanatos, dropped trojans on the computers they infected, Sobig was the first to turn computers into spam relays. There were however (probably experimental) worms before it, like Bymer that performed a similar action of dropping a distributed computing client, though Sobig is still the first botnet worm.

Before the advent of Broadband Internet, manually sending spam or making use of an open SMTP relay were the most common methods of sending spam emails, but these methods are time-consuming and/or can quickly lead to the spammer being caught and (at least) having an account revoked. The botnet was a godsend to spammers, as it made easy the falsifying of email headers and many other ways to completely hide the spammer's identity, while sending millions of spam emails per day.