1. /
  2. Security Response/
  3. W32.Sobig.E@mm

W32.Sobig.E@mm

Risk Level 2: Low

Discovered:
June 25, 2003
Updated:
February 13, 2007 12:02:53 PM
Also Known As:
Win32.Sobig.E [CA], W32/Sobig-E [Sophos], W32/Sobig.e@MM [McAfee], WORM_SOBIG.E [Trend], I-Worm.Sobig.e [KAV]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Due to a decreased rate of submissions, and the hard coded deactivation date, Symantec Security Response has downgraded this threat to a Category 2 from a Category 3 as of July 16, 2003.

W32.Sobig.E@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the files with the following extensions:
  • .wab
  • .dbx
  • .htm
  • .html
  • .eml
  • .txt

The email falsely purports that Yahoo sent it (support@yahoo.com).

Email Routine Details
The email message has the following characteristics:

From: support@yahoo.com (NOTE: W32.Sobig.E@mm spoofs this field. It could be any address.)

Subject: The subject line will be one of the following:
  • Re: Application
  • Re: Movie
  • Re: Movies
  • Re: Submitted
  • Re: ScRe:ensaver
  • Re: Documents
  • Re: Re: Application ref 003644
  • Re: Re: Document
  • Your application
  • Application.pif
  • Applications.pif
  • movie.pif
  • Screensaver.scr
  • submited.pif
  • new document.pif
  • Re: document.pif
  • 004448554.pif
  • Referer.pif

Attachment: The attachment name will be one of the following:
  • Your_details.zip (contains Details.pif)
  • Application.zip (contains Application.pif)
  • Document.zip (contains Document.pif)
  • Screensaver.zip (contains Sky.world.scr)
  • Movie.zip (contains Movie.pif)

NOTE: The worm de-activates on July 14, 2003, and therefore, the last day on which the worm will spread is July 13, 2003. While the worm no longer attempts to spread, it will still attempt to perform an update during the trigger period referenced below.


Antivirus Protection Dates

  • Initial Rapid Release version June 25, 2003
  • Latest Rapid Release version July 29, 2012 revision 001
  • Initial Daily Certified version June 25, 2003
  • Latest Daily Certified version July 29, 2012 revision 006
  • Initial Weekly Certified release date June 25, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver