New Virus Evolving

A new variation of an email virus is infecting systems today. Please make sure your Antivirus definitions are updated today. Information from Symantec (Norton) Antivirus listed below.

W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the files with the following extensions:
.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt

The worm utilizes it's own SMTP engine to propagate and will attempt to create a copy of itself on accessible network shares.

Email Routine Details
The email message has the following characteristics:

From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender).
The worm may use the address admin@internet.com as the sender.

Subject:

Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

Body:

See the attached file for details
Please see the attached file for details.

Attachment:

your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

NOTE: The worm deactivates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.

Also Known As:
Sobig.F [F-Secure], W32/Sobig.f@MM [McAfee], WORM SOBIG.F [Trend]



Type:
Worm

Infection Length:
about 72,000 bytes

Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Systems Not Affected:
Linux, Macintosh, OS/2, UNIX, Windows 3.x