The Big Worm Strikes Again, This Time It Is W32.Sobig.F@mm!

Question

Beware of the W32.Sobig.F@mm worm that was upgraded from Category 3 to 4 as of 8-21-03 on Symantec Security Response.

Answer

This question was answered on August 21, 2003. Much of the information contained herein may have changed since posting.

This new version of Sobig is very sneaky and makes you think you are infected when you are not. Symantec Security Response has upgraded W32.Sobig.F@mm from a Category 3 to a 4 due to an increase of infection. This worm although a variant is a completely different worm then W32.Sobig.B@mm, C@mm, or E@mm.

W32.Sobig.F@mm is a mass-mailing, network-aware worm That sends itself to all email addresses that it finds in the files with the following extensions:

- .wab

- .dbx

- .htm

- .html

- .eml

- .txt

- .hlp

- .mht

This is considered to be a very wild and highly distributed worm. The email comes in disguise as a spoofed address or uses the address admin@internet.com

The email message has the following characteristics:

Subject: It is one of the following:

- Re: Details

- Re: Approved

- Re: Thank you!

- Re: Re: My Details

- Re: That movie

- Re: Wicked screensaver

- Re: Your application

- Thank you!

- Your details

Attachment: It is one of the following:

- your_document.pif

- thank_you.pif

- your_details.pif

- details.pif

- document_all.pif

- document_9446.pif

- wicked_scr.scr

- movie0045.pif

Most Windows operating systems are affected. (Windows 2000, 95, 98, Me, NT, XP)

NOTE: The worm de-activates on Sepptember 10, 2003, and therefore, the last day on which the worm will spread is September 10, 2003.

Symantec advises all possible victims to download latest virus definitions immediately and deploy.

Get complete instruction on protection and removal from Symantec at:

<a href="http://sarc.com/avcenter/venc/data/w32.sobig.f@mm.html"> http://sarc.com/avcenter/venc/data/w32.sobig.f@mm.html</a>

Author

Posted by Michal of Data Doctors on August 21, 2003