The SoBig
worm spreads through email attachments and shared network folders. It
sends copies of itself via is own SMTP engine and obtains the recipient
addresses from information found in files with the following extensions:
|
The details of the email are
Sender: bill@microsoft.com <or any of the identified recipient addresses>
The subject can be:
- Re: Screensaver
- Re: Movie
- Re: Submited (004756-3463)
- Re: 45443-343556
- Re: Approved
- Approved
- Re: Your application
- Re: Application
The message body contains:
Please see the attached file.
And the attachment is one of the following
- screensaver.scr
- movie.pif
- submited.pif
- 45443.pif
- documents.pif
- approved.pif
- application.pif
- document.pif
The worm also attempts to copy itself to the following folders on all the open network shares:
- \Windows\All Users\Start Menu\Programs\StartUp
- Documents and Settings\All Users\Start Menu\Programs\Startup
The worm stops spreading via network shares on June 8, 2003.
How to Clean/Delete the SoBig.C Worm?
Follow these steps in removing the SoBig.C worm.
1) Terminate the running program
- Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP machines.
- Locate the following program, click on it and End Task or End Process
System MScvb or mscvb32.exe
- Close Task Manager
2) Remove the Registry entries
- Click on Start, Run, Regedit
- In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
- In the right panel, right-click and delete the following entry
System MScvb
Repeat this procedure for the following location
HKEY_CURRENT_USER>Software>Microsoft>Windows>Current Version>Run
- Close the Registry Editor
3) Delete the infected files
- Click Start, point to Find or Search, and then click Files or Folders.
- Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
- In the
"Named" or "Search for..." box, type, or copy and paste, the file names:
msddrr.dat
mscvb32.exe - Click Find Now or Search Now.
- Delete the displayed files.
4) Reboot the computer and run a thorough virus scan using your favorite antivirus program.
For Automatic Removal of the SoBig.C worm, click on the following link
Symantec SoBig.C Automatic Removal Program
Removal of Other SoBig worm viruses
| Search PCHell.com |
|
| site search by freefind | advanced |
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall Antivir Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
Backdoor SDBot.H Trojan Removal
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad
Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.
