Virus Pretends To Come From support@microsoft.com

For full information and tools for removal see..
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.b@mm.html

W32.Sobig.B@mm is a mass-mailing worm that sends itself to all the email addresses, purporting to have been sent by Microsoft (support@microsoft.com). The worm finds the addresses in the files with the following extensions:

.wab
.dbx
.htm
.html
.eml
.txt

Email Routine Details
The email message has the following characteristics:

From: support@microsoft.com

Subject: The subject line will be one of the following:
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Re: My details
Screensaver
Cool screensaver
Re: Movie
Re: My application

Message Body: All information is in the attached file.

Attachment: The attachment name will be one of the following:
your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif

NOTES:
The worm de-activates on May 31, 2003, and therefore, the last day on which the worm will spread is May 30, 2003.
Virus definitions dated prior to May 19, 2003 may detect this threat as W32.HLLW.Mankx@mm.

Symantec Security Response has created a tool to remove W32.Sobig.B@mm.

Also Known As: W32.HLLW.Mankx@mm, W32/Palyh@MM [McAfee], W32/Palyh-A [Sophos], I-Worm.Palyh [KAV], WORM_PALYH.A [Trend], Win32.Palyh.A [CA]
Type: Worm
Infection Length: 52,898 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

For full information and tools for removal see..
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.b@mm.html

© Scoop Media