1. Symantec/
  2. Security Response/
  3. W32.Sobig.E@mm


Risk Level 2: Low

June 25, 2003
February 13, 2007 12:02:53 PM
Also Known As:
Win32.Sobig.E [CA], W32/Sobig-E [Sophos], W32/Sobig.e@MM [McAfee], WORM_SOBIG.E [Trend], I-Worm.Sobig.e [KAV]
Systems Affected:

Due to a decreased rate of submissions, and the hard coded deactivation date, Symantec Security Response has downgraded this threat to a Category 2 from a Category 3 as of July 16, 2003.

W32.Sobig.E@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the files with the following extensions:
  • .wab
  • .dbx
  • .htm
  • .html
  • .eml
  • .txt

The email falsely purports that Yahoo sent it (support@yahoo.com).

Email Routine Details
The email message has the following characteristics:

From: support@yahoo.com (NOTE: W32.Sobig.E@mm spoofs this field. It could be any address.)

Subject: The subject line will be one of the following:
  • Re: Application
  • Re: Movie
  • Re: Movies
  • Re: Submitted
  • Re: ScRe:ensaver
  • Re: Documents
  • Re: Re: Application ref 003644
  • Re: Re: Document
  • Your application
  • Application.pif
  • Applications.pif
  • movie.pif
  • Screensaver.scr
  • submited.pif
  • new document.pif
  • Re: document.pif
  • 004448554.pif
  • Referer.pif

Attachment: The attachment name will be one of the following:
  • Your_details.zip (contains Details.pif)
  • Application.zip (contains Application.pif)
  • Document.zip (contains Document.pif)
  • Screensaver.zip (contains Sky.world.scr)
  • Movie.zip (contains Movie.pif)

NOTE: The worm de-activates on July 14, 2003, and therefore, the last day on which the worm will spread is July 13, 2003. While the worm no longer attempts to spread, it will still attempt to perform an update during the trigger period referenced below.

Antivirus Protection Dates

  • Initial Rapid Release version June 25, 2003
  • Latest Rapid Release version January 24, 2018 revision 003
  • Initial Daily Certified version June 25, 2003
  • Latest Daily Certified version January 24, 2018 revision 007
  • Initial Weekly Certified release date June 25, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube