Sobig.e arrives via email or shared network file. The email message appears to be from someone you might know, but this address is spoofed. The email's subject line may include one of the following:
Application Ref: 456003
Your application
Re: Re: Document
Re: Re: Application ref. 003644
Re: Documents
Re: Screensaver
Re: Submited (Ref: 003746)
Re: Movies
Re: Movie
Re: Application
The attached file is your_details.zip. Since ZIP files are ignored by most extension-blocking rules within email clients, you should not attempt to open this file. Some copies of Sobig.e sent from infected machines may produce attached files with only a .zi extension. The body text for Sobig.e may also read "Please see the attached zip file for details." This worm does not automatically execute. Therefore, you must open the attached file to become infected with Sobig.e. Upon execution, the worm adds the following files to the default Windows directory: WinSSK32.EXE (Copy of the worm)
MSRRF.DAT (configuration file) Upon execution, the worm will search for saved files with these extensions looking for email addresses embedded within:
TXT
EML
HTML
HTM
DBX
WAB
Sobig.e may contain a list of NT servers and opens a port (port 123) to send packets to those servers. Removal
A few antivirus software companies have already updated their signature files to include this worm. This will stop the infection upon contact and in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, McAfee, MessageLabs, Norman, Panda, Sophos, and Symantec
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Let the editors know what you think in the Mailroom.
