W32.Sobig.B@mm

NOTE: Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from Category 3 to Category 2 as of June 13, 2003.

W32.Sobig.B@mm is a mass-mailing worm that sends itself to all the email addresses, purporting to have been sent by Microsoft (support@microsoft.com). The worm finds the addresses in the files with the following extensions:

• .wab
• .dbx
• .htm
• .html
• .eml
• .txt

Email Routine Details
The email message has the following characteristics:

From: support@microsoft.com

Subject: The subject line will be one of the following:

• Your details
• Approved (Ref: 38446-263)
• Re: Approved (Ref: 3394-65467)
• Your password
• Re: My details
• Screensaver
• Cool screensaver
• Re: Movie
• Re: My application
  

Message Body: All information is in the attached file.

Attachment: The attachment name will be one of the following:

• your_details.pif
• ref-394755.pif
• approved.pif
• password.pif
• doc_details.pif
• screen_temp.pif
• screen_doc.pif
• movie28.pif
• application.pif

NOTES:

• The worm de-activates on May 31, 2003, and therefore, the last day on which the worm will spread is May 30, 2003.
• Virus definitions dated prior to May 19, 2003 may detect this threat as W32.HLLW.Mankx@mm.

Protection

• Initial Rapid Release version May 18, 2003
• Latest Rapid Release version July 27, 2009 revision 085
• Initial Daily Certified version May 18, 2003
• Latest Daily Certified version July 27, 2009 revision 073
• Initial Weekly Certified release date May 18, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Medium
• Number of Infections: More than 1000
• Number of Sites: More than 10
• Geographical Distribution: Medium
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: High