Mark Tinka - CCNA
Network Engineer, Africa Online Uganda
-----Original Message-----
From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org] On Behalf Of Ndungu Kahindo
Sent: Monday, July 07, 2003 9:22 AM
To: afnog at afnog.org
Subject: W32.Sobig.E at mmI noticed that an email sent to this list had this virus. The attachment was Your_details.zip. Below are the details from the Symantec site. Is there any way we can have these emails checked for viruses before they are sent to this list. I have also noticed some unsolicited mails of late.
Kahindo
Due to an increased rate of submissions, Symantec Security Response has upgraded this threat to a Category 3 from a Category 2.
W32.Sobig.E at mm is a mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the files with the following extensions:
- .wab
- .dbx
- .htm
- .html
- .eml
- .txt
The email falsely purports that Yahoo sent it (support at yahoo.com).
Email Routine Details
The email message has the following characteristics:
From: support at yahoo.com (NOTE: W32.Sobig.E at mm spoofs this field. It could be any address.)
Subject: The subject line will be one of the following:
- Re: Application
- Re: Movie
- Re: Movies
- Re: Submitted
- Re: ScRe:ensaver
- Re: Documents
- Re: Re: Application ref 003644
- Re: Re: Document
- Your application
- Application.pif
- Applications.pif
- movie.pif
- Screensaver.scr
- submited.pif
- new document.pif
- Re: document.pif
- 004448554.pif
- Referer.pif
Attachment: The attachment name will be one of the following:
- Your_details.zip (contains Details.pif)
- Application.zip (contains Application.pif)
- Document.zip (contains Document.pif)
- Screensaver.zip (contains Sky.world.scr)
- Movie.zip (contains Movie.pif)
NOTE: The worm de-activates on July 14, 2003, and therefore, the last day on which the worm will spread is July 13, 2003.
Symantec Security Response has created a tool to remove W32.Sobig.E at mm.
Also Known As: Win32.Sobig.E [CA], W32/Sobig-E [Sophos], W32/Sobig.e at MM [McAfee], WORM_SOBIG.E [Trend], I-Worm.Sobig.e [KAV]
Type: Worm
Infection Length: 82,195 bytes (zip file), 86,528 bytes (executable)
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux