Store

Symantec.com > Enterprise > Security Response > W32.Sobig.C@mm
PRINT THIS PAGE

W32.Sobig.C@mm

Risk Level 2: Low

Discovered:
May 31, 2003
Updated:
February 13, 2007 12:01:51 PM
Also Known As:
W32/Sobig.c@MM [McAfee], Win32/Sobig.C [ESET], Sobig.C [F-Secure], I-Worm.Sobig.c [KAV], WORM_SOBIG.C [Trend], Win32.Sobig.C [CA], W32/Sobig-C [Sophos]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

NOTE: As of June 13, 2003, due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from Category 3 to Category 2.

W32.Sobig.C@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in the files with the following extensions:
  • .wab
  • .dbx
  • .htm
  • .html
  • .eml
  • .txt

The email falsely purports that Microsoft sent it (bill@microsoft.com).

Email Routine Details
The email message has the following characteristics:

From: bill@microsoft.com (NOTE: W32.Sobig.C@mm spoofs this field. It could be any address.)

Subject: The subject line will be one of the following:
  • Re: Movie
  • Re: Submited (004756-3463)
  • Re: 45443-343556
  • Re: Approved
  • Approved
  • Re: Your application
  • Re: Application
Message Body: Please see the attached file.

Attachment: The attachment name will be one of the following:
  • screensaver.scr
  • movie.pif
  • submited.pif
  • 45443.pif
  • documents.pif
  • approved.pif
  • application.pif
  • document.pif

NOTE: The worm de-activates on June 8, 2003, and therefore, the last day on which the worm will spread is June 7, 2003.


Antivirus Protection Dates

  • Initial Rapid Release version June 1, 2003
  • Latest Rapid Release version March 21, 2012 revision 038
  • Initial Daily Certified version June 1, 2003
  • Latest Daily Certified version March 22, 2012 revision 003
  • Initial Weekly Certified release date June 1, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Low

Distribution

  • Distribution Level: High
Writeup By: Douglas Knowles
Technical Details

Search Threats

Search by name

Example: W32.Beagle.AG@mm
ThreatCon Widget
Internet Security Threat Report, Volume 16
Symantec DeepSight Screensaver
©1995 - 2012 Symantec Corporation
Careers|
About|
Site Map|
Legal|
Privacy|
Contact|
RSS