W32/Sobig.B@mm, a new worm spreading fast

19 May 2003

W32/Sobig.B@mm, also known as W32/Palyh@mm, W32/Emesache@mm, W32.HLLM.Ccn@mm and W32.HLLW.Manx@mm, is a new mass mailer and worm, discovered on the 19th of May. Its distribution has been tremendously fast, and has reached a geographically wide distribution in a relatively short time period.

W32/Sobig.B@mm spreads both via infected e-mail attachments and via open network resources.

It spreads via e-mail by sending itself to e-mail addresses harvested on the infected computer in all files with .DBX, .EML, .HTM, .HTML, .TXT, and .WAB extensions on found on the computer.

Messages containing an attachment infected with W32/Sobig.B@mm will bear the following characteristics:

Sender:

support@microsoft.com

Subject:

The subject is randomly chosen from this list:

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details

Name of attachment:

application.pif
approved.pif
doc_details.pif
your_details.pif
movie28.pif
password.pif
screen_temp.pif
screen_doc.pif
ref-394755.pif

Detailed description of W32/Sobig.B@mm

W32/Sobig.B@mm is detected with the latest versions of F-Prot Antivirus products using virus signature files created on the 19th of May or later.

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.