Due to a decreased rate of submissions, and the hard coded deactivation date, Symantec Security Response has downgraded this threat to a Category 2 from a Category 3 as of July 16, 2003.
W32.Sobig.E@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the files with the following extensions:
The email falsely purports that Yahoo sent it (firstname.lastname@example.org).
Email Routine Details
The email message has the following characteristics:
: W32.Sobig.E@mm spoofs this field. It could be any address.)
The subject line will be one of the following:
- Re: Application
- Re: Movie
- Re: Movies
- Re: Submitted
- Re: ScRe:ensaver
- Re: Documents
- Re: Re: Application ref 003644
- Re: Re: Document
- Your application
- new document.pif
- Re: document.pif
The attachment name will be one of the following:
- Your_details.zip (contains Details.pif)
- Application.zip (contains Application.pif)
- Document.zip (contains Document.pif)
- Screensaver.zip (contains Sky.world.scr)
- Movie.zip (contains Movie.pif)
The worm de-activates on July 14, 2003, and therefore, the last day on which the worm will spread is July 13, 2003. While the worm no longer attempts to spread, it will still attempt to perform an update during the trigger period referenced below.
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.