Hodge
21-08-2003, 10:46
The W32.Sobig.F@mm is one of the most successful viri since LoveBug, so I just thought I'd post some info on it (from the Symantic site), to warn everyone:
-------------------------------------------------------
W32.Sobig.F@mm
W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:
.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt
The worm uses its own SMTP engine to propagate and will attempt to create a copy of itself on accessible network shares, but fails due to bugs in the code.
Email Routine Details
The email message has the following characteristics:
From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
NOTES:
The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.
Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details
Body:
See the attached file for details
Please see the attached file for details.
Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
NOTE: The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
-------------------------------------------------------
The full page/info can be viewed here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
Symantic have also created a small removal tool, which can be downloaded here:
http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html
Just make sure your AV s/w has the latest virus definitions file, and you'll be fine (19/8/03 for NAV)
-------------------------------------------------------
W32.Sobig.F@mm
W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:
.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt
The worm uses its own SMTP engine to propagate and will attempt to create a copy of itself on accessible network shares, but fails due to bugs in the code.
Email Routine Details
The email message has the following characteristics:
From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.
NOTES:
The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.
Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details
Body:
See the attached file for details
Please see the attached file for details.
Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
NOTE: The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
-------------------------------------------------------
The full page/info can be viewed here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
Symantic have also created a small removal tool, which can be downloaded here:
http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html
Just make sure your AV s/w has the latest virus definitions file, and you'll be fine (19/8/03 for NAV)