Due to a decreased rate of submissions, and the hard coded deactivation date, Symantec Security Response has downgraded this threat to a Category 2 from a Category 4 as of September 15, 2003.
W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:
The worm uses its own SMTP engine to propagate. It also attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.
Email routine details
The email message has the following characteristics:
Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address, firstname.lastname@example.org, as the sender.
- The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
- The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.
- Re: Details
- Re: Approved
- Re: Re: My details
- Re: Thank you!
- Re: That movie
- Re: Wicked screensaver
- Re: Your application
- Thank you!
- Your details
- See the attached file for details
- Please see the attached file for details.
- The worm de-activates on September 10, 2003. The last day after which the worm should stop spreading is September 9, 2003. However, computers with out of date system clocks are still vulnerable to the worm and may contribute to its spread after the de-activation date.
- The aforementioned de-activation date applies only to the mass-mailing, network propagation, and email address collection routines. This means that a W32.Sobig.F@mm-infected computer will still attempt to download the updates from the respective list of master servers during the associated trigger period, even after the infection de-activation date. Previous variants of Sobig exhibited similar behavior.
- Outbound udp traffic was observed on August 22nd, coming from systems infected with both Sobig.E and Sobig.F. However, the target IP addresses were either not responding, taken offline, or contained non-executable content; that is, a link to an adult site.
- W32.Sobig.F@mm uses a technique known as "email spoofing," by which the worm randomly selects an address it finds on an infected computer. For more information on email spoofing, see the "Technical Details" section below.
Symantec Security Response has developed a removal tool
to clean the infections of W32.Sobig.F@mm.
Due to the nature of the email spoofing, a substantial amount of extraneous traffic is generated as a result of virus notifications being sent to invalid email addresses. One solution to alleviate this problem would be to disable the Virus Notification messages that gateway and server-based mail products send.
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.