Symantec Security Response -- W32.Sobig.C@mm
Symantec Security Response -- W32.Sobig.C@mm
On May 31, 2003, Symantec Security Response upgraded the mass-mailing worm W32.Sobig.C@mm from a Category 2 to a Category 3 rating based on an increased number of submissions. W32.Sobig.C@mm is a variant of W32.Sobig.B@mm, discovered May 18, which has impacted thousands of customers. The new variant appeared first in the wild Sunday 1 June, on the same day that W32.Sobig.B@mm deactivated. Although this worm does not have a malicious payload, customers should ensure they have the latest definitions from Symantec to avoid further spread of the worm. The worm deactivates on 8th June 2003, therefore, the last date the worm will spread will be the 7th June 2003.
The email message will appear to be from the address: bill@microsoft.com.
Subject line
will be one of the following:
Re: Movie
Re:
Submited (004756-3463)
Re: 45443-343556
Re: Approved
Approved
Re: Your
application
Re: Application
Message Body: Please see the attached file.
Attachment name will be one of the following:
screensaver.scr
movie.pif
submited.pif
45443.pif
documents.pif
approved.pif
application.pif
document.pif
Systems affected by this worm include Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows ME. W32.Sobig.C@mm uses its own SMTP engine to email itself to all the contacts it finds in files with the following extensions:
.wab
.dbx
.htm
.html
.eml
.txt
Symantec Security Response has received 284 submissions to date. Symantec Security Response has posted LiveUpdate definitions and a removal tool for W32.Sobig.C@mm. Additional information can be found at: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html
ENDS