W32/SoBig.F@MM Last Updated 8/25/03 11:48AM

CIT has seen a dramatic increase in the detection of w32/SoBig.F@MM in emails. W32/SoBig.F@MM is a mass-mailing worm that also spreads via network shares. It sends a copy of itself to email addresses listed in the infected user's local address book, .htm, .html, .mht, .wab, and .txt files.

In email form, W32/SoBig.F@MM appears as follows:

The from address is: admin@internet.com

The subject is one of the following:

• Re: Details
• Re: Approved
• Re: Re: My details
• Re: Thank you!
• Re: That movie
• Re: Wicked screensaver
• Re: Your application
• Thank you!
• Your details

• See the attached file for details
• Please see the attached file for details.

• application.zip (contains application.pif)
• details.zip (contains details.pif)
• document_9446.zip (contains document_9446.pif)
• document_all.zip (contains document_all.pif)
• movie0045.zip (contains movie0045.pif)
• thank_you.zip (contains thank_you.pif)
• your_details.zip (contains your_details.pif)
• your_document.zip (contains your_document.pif)
• wicked_scr.zip (contains wicked_scr.scr)

The SuperDat 4287 and later from NAI will detect and remove w32/SoBig.F@MM. * Updated 12:01pm

The 8/19/03 and later definitions released by Symantec will detect and remove w32/SoBig.F@MM. Definitions are available through the LiveUpdate feature of Symantec Antivirus.

SoBigf removal tool (Stinger.exe) available here (Stinger version 1.8.4) * Updated 8/25/03 11:48am

For more information see:

http://vil.nai.com/vil/content/v_100561.htm from NAI.
http://sarc.com/avcenter/venc/data/w32.sobig.f@mm.html from Symantec.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.