W32.Sobig.C@mm

NOTE: As of June 13, 2003, due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from Category 3 to Category 2.

W32.Sobig.C@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in the files with the following extensions:

• .wab
• .dbx
• .htm
• .html
• .eml
• .txt

The email falsely purports that Microsoft sent it (bill@microsoft.com).

Email Routine Details
The email message has the following characteristics:

From: bill@microsoft.com (NOTE: W32.Sobig.C@mm spoofs this field. It could be any address.)

Subject: The subject line will be one of the following:

• Re: Movie
• Re: Submited (004756-3463)
• Re: 45443-343556
• Re: Approved
• Approved
• Re: Your application
• Re: Application
  

Message Body: Please see the attached file.

Attachment: The attachment name will be one of the following:

• screensaver.scr
• movie.pif
• submited.pif
• 45443.pif
• documents.pif
• approved.pif
• application.pif
• document.pif

NOTE: The worm de-activates on June 8, 2003, and therefore, the last day on which the worm will spread is June 7, 2003.

Protection

• Initial Rapid Release version June 1, 2003
• Latest Rapid Release version February 3, 2010 revision 041
• Initial Daily Certified version June 1, 2003
• Latest Daily Certified version February 3, 2010 revision 048
• Initial Weekly Certified release date June 1, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Medium
• Number of Infections: More than 1000
• Number of Sites: More than 10
• Geographical Distribution: Medium
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Low

Distribution

• Distribution Level: High