How to rid your system of the SOBIG.B worm

dicentra at xmission.com dicentra at xmission.com
Fri Aug 22 03:26:44 UTC 2003 

These instructions come from the Trend Micro Virus Encyclopedia
www.trendmicro.com/vinfo/virusencyclo/

Description:

This worm propagates by using its own SMTP engine to mass-mail copies of
itself to other users. It sends email with the following details:

From: support at microsoft.com
Subject: (any of the following)
Approved (Ref: 38446-263)
Cool screensaver
Re: Approved (Ref: 3394-65467)
Re: Movie
Re: My application
Re: My details
Screensaver
Your details
Your password

Message Body:
All information is in the attached file.

Attachment: (any of the following)
application.pif
approved.pif
doc_details.pif
movie28.pif
password.pif
ref-394755.pif
screen_doc.pif
screen_temp.pif
your_details.pif

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Solution:

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

   1. Open Windows Task Manager.
      On Windows 9x/ME systems, press
      CTRL+ALT+DELETE
      On Windows NT/2000/XP systems, press
      CTRL+SHIFT+ESC, and click the Processes tab.
   2. In the list of running programs*, locate the process:
      msccn32.exe
   3. Select the malware process, then press either the End Task or the End
Process button, depending on the version of Windows on your system.
   4. To check if the malware process has been terminated, close Task
Manager, and then open it again.
   5. Close Task Manager. 

*NOTE: On systems running Windows 9x/ME, Windows Task Manager may not show
certain processes. You may use a third party process viewer to terminate the
malware process. Otherwise, continue with the next procedure, noting
additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from
executing during startup.

   1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then
press Enter.
   2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>
      Windows>CurrentVersion>Run
   3. In the right panel, locate and delete the entry:
      System Tray = %Windows%\msccn32.exe
   4. In the left panel, double-click the following:
      HKEY_CURRENT_USER>Software>Microsoft>
      Windows>CurrentVersion>Run
   5. In the right panel, locate and delete the entry:
      System Tray = %Windows%\msccn32.exe
   6. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory, as
described in the previous procedure, restart your system.

Deleting a Malware File

   1. Locate the malware file.
            On Windows 9x/NT
            Click Start>Find>Files and Folders.
            On Windows 2000/ME/XP
            Click Start>Search>For Files and Folders.
   2. In the Search for files and folders named input box, type:
      hnks.ini; msdbrr.ini
   3. In the Look In drop-down list, select the drive which contains
Windows, then press Enter.
   4. Once located, select the file then press Delete.

More information about the HP4GU-FAQ archive