W32/Sobig.D@mm has started spreading

18 June 2003

W32/Sobig.D@mm is a variant of the W32/Sobig.{A/B/C}@mm mass-mailing worms, that spread late may and early June.

In the same way as its predecessors W32/Sobig.D@mm has an 'end-date', after which it will not spread any further. The end date W32/Sobig.D@mm appears to be 2 July 2003.

W32/Sobig.D@mm spreads both via infected e-mail attachments and via open network resources.

This mass-mailer spreads via e-mail by sending itself as an attachment to e-mail addresses harvested from files with these extensions on an infected computer: .WAB, .DBX, .HTM, .HTML, .EML, and .TXT

Messages containing an attachment infected with W32/Sobig.B@mm will bear the following characteristics:

W32/Sobig.D@mm creates a fake 'From' address but other characteristics of a message bearing the mass mailing worm are:

Subject:

The subject is randomly chosen from this list:

Application Ref: 456003
Your Application
Re: Accepted
Re: App. 00347545-002
Re: Documents
Re: Movies
Re: Screensaver
Re: Your Application (Ref: 003844)

Attachment's name:

app003475.pif
Accepted.pif
Application.pif
Application844.pif
Applications.pif
Document.pif
movies.pif
ref_456.pif
Screensaver.scr

W32/Sobig.D@mm is detected with the latest versions of F-Prot Antivirus products using virus signature files created on the 18th of June or later.

Related:

Detailed description of W32/Sobig.D@mm

Detailed description of W32/Sobig.B@mm

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.