W32/Sobig.E@mm the second most stopped virus by F-Prot AVES

26 June 2003

This latest variant was found in the wild on the 25th of June 2003.

It has gained wide distribution in less that 24 hours, and is now the second most frequently caught virus by F-Prot AVES

In the same way as its predecessors it spreads both via infected e-mail attachments and through open network shares.

Messages bearing the virus have the following characteristics:

From address. This address is made up by W32/Sobig.E@mm and is not a valid e-mail address.
Subject: The Subject is randomly selected from the following list contained inside the virus:

004448554.pif
Application.pif
Applications.pif
movie.pif
new document.pif
Re: Application
Re: document.pif
Re: Documents
Re: Movie
Re: Movies
Re: Re: Application ref 003644
Re: Re: Document
Re: ScRe:ensaver
Re: Submitted
Referer.pif
Screensaver.scr
submited.pif
Your application


Attachment: An attachment bearing W32/Sobig.E@mm will be called on of these names:

application.zip (contains application.pif)
document.zip (contains document.pif)
movie.zip (contains Movie.pif)
screensaver.zip (contains sky.world.scr)
your details.zip (contains details.pif)

Much like it predecessors W32/Sobig.E@mm has a built in end date, after which it will no longer distribute itself. This variant's end date is 14th of July.

W32/Sogbig.E@mm is detected with the current versions of F-Prot Antivirus using virus signature files dated 25 June 2003 or later.

Related:

Detailed description of W32/Sobig.A
Detailed description of W32/Sobig.B
Detailed description of W32/Sobig.D
Information about F-Prot AVES

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

1993-2013 © CYREN