W32/SoBig.F@MM Last Updated 8/25/03 11:48AM
CIT has seen a dramatic increase in the detection of w32/SoBig.F@MM in emails. W32/SoBig.F@MM is a mass-mailing worm that also spreads via network shares. It sends a copy of itself to email addresses listed in the infected user's local address book, .htm, .html, .mht, .wab, and .txt files.
In email form, W32/SoBig.F@MM appears as follows:
The from address is: admin@internet.com
The subject is one of the following:
- Re: Details
- Re: Approved
- Re: Re: My details
- Re: Thank you!
- Re: That movie
- Re: Wicked screensaver
- Re: Your application
- Thank you!
- Your details
The message body is one of the following:
- See the attached file for details
- Please see the attached file for details.
The attachment may be one of the following:
- application.zip (contains application.pif)
- details.zip (contains details.pif)
- document_9446.zip (contains document_9446.pif)
- document_all.zip (contains document_all.pif)
- movie0045.zip (contains movie0045.pif)
- thank_you.zip (contains thank_you.pif)
- your_details.zip (contains your_details.pif)
- your_document.zip (contains your_document.pif)
- wicked_scr.zip (contains wicked_scr.scr)
The SuperDat 4287 and later from NAI will detect and remove w32/SoBig.F@MM. * Updated 12:01pm
The 8/19/03 and later definitions released by Symantec will detect and remove w32/SoBig.F@MM. Definitions are available through the LiveUpdate feature of Symantec Antivirus.
SoBigf removal tool (Stinger.exe) available here (Stinger version 1.8.4) * Updated 8/25/03 11:48am
For more information see:
http://vil.nai.com/vil/content/v_100561.htm from NAI.
http://sarc.com/avcenter/venc/data/w32.sobig.f@mm.html from Symantec.
This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.
|