Another W32.Sobig worm was found running Wild this week!

Question

Beware of the W32.Sobig.E@mm worm that was discovered 6-25-03 and is already rated a category 3 on Symantec Security Response.

Answer

This question was answered on June 27, 2003. Much of the information contained herein may have changed since posting.

Symantec Security Response has upgraded W32.Sobig.E@mm from a Category 2 to a 3 as of June 26, 2003. This is a completely different worm then W32.Sobig.B@mm & W32.Sobig.C@mm.

W32.Sobig.E@mm is a mass-mailing worm That sends itself to all email addresses that it finds in the files with the following extensions:

- .wab

- .dbx

- .htm

- .html

- .eml

- .txt

This is considered to be a very wild worm. The email comes in disguise as something from Yahoo and has an attachment.

The email message has the following characteristics:

Subject: It is one of the following:

- Re: Application

- Re: Movie

- Re: Movies

- Re: Submitted

- Re: ScRe:ensaver

- Re: Documents

- Re: Re: Application ref 003644

- Re: Re: Document

- Your application

- Application.pif

- Applications.pif

- movie.pif

- Screensaver.scr

- submited.pif

- new document.pif

- Re: document.pif

- 004448554.pif

- Referer.pif

Attachment: It is one of the following:

- Your_details.zip (contains Details.pif)

- Application.zip (contains Application.pif)

- Document.zip (contains Document.pif)

- Screensaver.zip (contains Sky.world.scr)

- Movie.zip (contains Movie.pif)

Most Windows operating systems are affected.

NOTE: The worm de-activates on June 14, 2003, and therefore, the last day on which the worm will spread is June 13, 2003.

Symantec advises all possible victims to download latest virus definitions immediately and deploy.

Get complete instruction on protection and removal from Symantec at:

<a href="http://sarc.com/avcenter/venc/data/w32.sobig.e@mm.html"> http://sarc.com/avcenter/venc/data/w32.sobig.e@mm.html</a>

Author

Posted by Michal of Data Doctors on June 27, 2003