FRISK Software International

Summary of W32/Sobig.A@mm
Length: 65536
Discovered: 9 Jan 2003
Definition files: 9 Jan 2003
Risk Level: Medium
Infection Method:Email attachment, Local area network shares
Jump to:
Brief description
Technical description

Brief Description
Sobig.A is written in Visual C++ and packed with the UPX packer. It spreads using email, sending it self as a email attachment, it also replicates through shared network drives.

Technical Description
The worm adds it self to the registry under the following keys where the value is the location of the virus. So that each time you start the computer it runs the virus:

It also copies it self to the to windows directory under the name

The worm sends email to all the email addresses it finds in files with theses endings:

The email is constructed from these parts
The from address is:

The subject is randomnly chosen from this list
Re: Here is that sample
Re: Document
Re: Sample
Re: Movies

The name of the attached file is chosen from the following lists:

The worm also looks for network shares and tries to copy itself to these directories:
Windows\All Users\Start\Menu\Programs\StartUp
Documents and Settings\All Users\Start Menu\Programs\Startup

Sigurdur A. Stefnisson FRISK Software international

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)