1. /
  2. Security Response/
  3. W32.Sobig.B@mm

W32.Sobig.B@mm

Risk Level 2: Low

Discovered:
May 18, 2003
Updated:
February 13, 2007 12:01:21 PM
Also Known As:
W32.HLLW.Mankx@mm, W32/Palyh@MM [McAfee], W32/Palyh-A [Sophos], I-Worm.Palyh [KAV], WORM_PALYH.A [Trend], Win32.Palyh.A [CA]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

NOTE: Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from Category 3 to Category 2 as of June 13, 2003.

W32.Sobig.B@mm is a mass-mailing worm that sends itself to all the email addresses, purporting to have been sent by Microsoft (support@microsoft.com). The worm finds the addresses in the files with the following extensions:
  • .wab
  • .dbx
  • .htm
  • .html
  • .eml
  • .txt

Email Routine Details
The email message has the following characteristics:

From: support@microsoft.com

Subject: The subject line will be one of the following:
  • Your details
  • Approved (Ref: 38446-263)
  • Re: Approved (Ref: 3394-65467)
  • Your password
  • Re: My details
  • Screensaver
  • Cool screensaver
  • Re: Movie
  • Re: My application
Message Body: All information is in the attached file.

Attachment: The attachment name will be one of the following:
  • your_details.pif
  • ref-394755.pif
  • approved.pif
  • password.pif
  • doc_details.pif
  • screen_temp.pif
  • screen_doc.pif
  • movie28.pif
  • application.pif

NOTES:
  • The worm de-activates on May 31, 2003, and therefore, the last day on which the worm will spread is May 30, 2003.
  • Virus definitions dated prior to May 19, 2003 may detect this threat as W32.HLLW.Mankx@mm.



Antivirus Protection Dates

  • Initial Rapid Release version May 18, 2003
  • Latest Rapid Release version January 18, 2011 revision 041
  • Initial Daily Certified version May 18, 2003
  • Latest Daily Certified version January 19, 2011 revision 003
  • Initial Weekly Certified release date May 18, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Low

Distribution

  • Distribution Level: High
Writeup By: Douglas Knowles

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver