WORM_SOBIG.D - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_SOBIG.D

Overview

Solution

Technical Details

Malware type: Worm

Aliases: W32.Sobig.D@mm, W32/Sobig-D, Sobig.D

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, NT, 2000, ME, XP

Encrypted: Yes

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:
This nondestructive worm propagates via network shares and via email using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers its target email addresses from files with the following extensions:

WAB
DBX
HTM
HTML
EML
TXT

It also uses the obtained email addresses on the From field of the email messages that it sends out. The messages have the following details:

From: admin@support.com <or obtained email address>

Subject: (any of the following)
Application Ref: 456003
Re: Accepted
Re: App. 00347545-002
Re: Application
Re: Documents
Re: Movies
Re: Screensaver
Re: Your Application (Ref: 003844)
Your Application

Message body: See the attached file for details

Attachment: (any of the following)
accepted.pif
app003475.pif
application.pif
application844.pif
applications.pif
document.pif
movies.pif
ref_456.pif
screensaver.scr

This worm stops running its network propagation routine after the system date July 1, 2003.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jun. 18, 2003 1:45:50 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.