NOTE: Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from Category 3 to Category 2 as of June 13, 2003.
W32.Sobig.B@mm is a mass-mailing worm that sends itself to all the email addresses, purporting to have been sent by Microsoft (support@microsoft.com). The worm finds the addresses in the files with the following extensions:
- .wab
- .dbx
- .htm
- .html
- .eml
- .txt
Email Routine Details
The email message has the following characteristics:
From: support@microsoft.com
Subject: The subject line will be one of the following:
- Your details
- Approved (Ref: 38446-263)
- Re: Approved (Ref: 3394-65467)
- Your password
- Re: My details
- Screensaver
- Cool screensaver
- Re: Movie
- Re: My application
Message Body: All information is in the attached file.
Attachment: The attachment name will be one of the following:
- your_details.pif
- ref-394755.pif
- approved.pif
- password.pif
- doc_details.pif
- screen_temp.pif
- screen_doc.pif
- movie28.pif
- application.pif
NOTES:
- The worm de-activates on May 31, 2003, and therefore, the last day on which the worm will spread is May 30, 2003.
- Virus definitions dated prior to May 19, 2003 may detect this threat as W32.HLLW.Mankx@mm.
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
