| VIRUS ALERT
Virus Name:
W32/Sobig.f@MM
Risk Factor: HIGH
We would like to make all our users aware of a new worn doing the rounds.
This detection is for a new variant of W32/Sobig. In common with previous variants, the worm is written in MSVC, and bears the following characteristics:
- propagates via email, constructing outgoing messages with its own SMTP engine
- propagates over network shares (not confirmed in testing yet)
Note: The worm carries garbage data appended to end of file, so exact filesize and file checksum may vary.
Mail Propagation
The worm mails itself to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files with the following extensions:
- DBX
- HLP
- MHT
- WAB
- EML
- TXT
- HTM
- HTML
Outgoing messages are constructed as follows:
Subject:
- Your details
- Thank you!
- Re: Thank you!
- Re: Details
- Re: Re: My details
- Re: Approved
- Re: Your application
- Re: Wicked screensaver
- Re: That movie
Attachment:
- your_document.pif
- document_all.pif
- thank_you.pif
- your_details.pif
- details.pif
- document_9446.pif
- application.pif
- wicked_scr.scr
- movie0045.pif
Body:
- See the attached file for details
- Please see the attached file for details
The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.
Our email virus scanner has been updated to protect against this threat.
Stinger
is a stand alone remover. You may download your copy by going to the following URL: http://vil.nai.com/vil/stinger
Reference:
http://vil.nai.com/vil/content/v_100561.htm
| 