Signature Detail

WORM: W32.Sobig.E Worm External Communication

This signature detects outbound communication by the W32.Sobig.E worm, a three-stage proxy server Trojan. A host infected with the first stage can download subsequent stages of the worm. After initial infection, the 1st stage Trojan removes its registry entries, copies itself to the system folder, edits the registry to run the Trojan at startup, and contacts a hidden server at UDP/8998 to obtain the URL for the 2nd stage Trojan site. After download, the 2nd stage Trojan sends user data to the worm author and downloads the 3rd stage Trojan (a Wingate proxy server) from a URL listed in the 2nd stage .ini file. User data can include usernames and passwords for financial Web accounts (obtained using a keystroke logger) and Web browser cookies.

Extended Description

Once infected by it, the worm W32.Sobig.E allows for the leak of infomation and execution of arbitrary code.

References

• URL: http://www.lurhq.com/sobig-e.html
• URL: http://vil.nai.com/vil/content/v_100429.htm
• URL: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html