1. /
  2. Security Response/
  3. W32.Sobig.F@mm

W32.Sobig.F@mm

Risk Level 2: Low

Discovered:
August 18, 2003
Updated:
February 13, 2007 12:05:18 PM
Also Known As:
Sobig.F [F-Secure], W32/Sobig.f@MM [McAfee], WORM SOBIG.F [Trend], W32/Sobig-F [Sophos], Win32.Sobig.F [CA], I-Worm.Sobig.f [KAV]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Due to a decreased rate of submissions, and the hard coded deactivation date, Symantec Security Response has downgraded this threat to a Category 2 from a Category 4 as of September 15, 2003.

W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:
  • .dbx
  • .eml
  • .hlp
  • .htm
  • .html
  • .mht
  • .wab
  • .txt

The worm uses its own SMTP engine to propagate. It also attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.


Email routine details
The email message has the following characteristics:

From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address, admin@internet.com, as the sender.
    NOTES:
    • The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
    • The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.

Subject:
  • Re: Details
  • Re: Approved
  • Re: Re: My details
  • Re: Thank you!
  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Thank you!
  • Your details

Body:
  • See the attached file for details
  • Please see the attached file for details.

Attachment:
  • your_document.pif
  • document_all.pif
  • thank_you.pif
  • your_details.pif
  • details.pif
  • document_9446.pif
  • application.pif
  • wicked_scr.scr
  • movie0045.pif


NOTES:
  • The worm de-activates on September 10, 2003. The last day after which the worm should stop spreading is September 9, 2003. However, computers with out of date system clocks are still vulnerable to the worm and may contribute to its spread after the de-activation date.
  • The aforementioned de-activation date applies only to the mass-mailing, network propagation, and email address collection routines. This means that a W32.Sobig.F@mm-infected computer will still attempt to download the updates from the respective list of master servers during the associated trigger period, even after the infection de-activation date. Previous variants of Sobig exhibited similar behavior.
  • Outbound udp traffic was observed on August 22nd, coming from systems infected with both Sobig.E and Sobig.F. However, the target IP addresses were either not responding, taken offline, or contained non-executable content; that is, a link to an adult site.
  • W32.Sobig.F@mm uses a technique known as "email spoofing," by which the worm randomly selects an address it finds on an infected computer. For more information on email spoofing, see the "Technical Details" section below.

Symantec Security Response has developed a removal tool to clean the infections of W32.Sobig.F@mm.




Due to the nature of the email spoofing, a substantial amount of extraneous traffic is generated as a result of virus notifications being sent to invalid email addresses. One solution to alleviate this problem would be to disable the Virus Notification messages that gateway and server-based mail products send.

Antivirus Protection Dates

  • Initial Rapid Release version August 19, 2003
  • Latest Rapid Release version May 26, 2013 revision 022
  • Initial Daily Certified version August 19, 2003
  • Latest Daily Certified version May 27, 2013 revision 004
  • Initial Weekly Certified release date August 19, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: High
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: Benjamin Nahorney

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver