Symantec Security Response - W32.Sobig.F@mm - Level 3 threat
W32.Sobig.F@mm
Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a
Category 3 (moderate) from a Category 2 threat. This worm is mostly affecting the consumer user. Symantec Security
Response expects that this worm will continue to spread at a steady pace for the next 2-3 days. W32.Sobig.F@mm is a
mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the files with the
following extensions:
.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt
The worm utilises it's own SMTP engine to propagate and will attempt to create a copy of itself on accessible network
shares. The email will have a Spoofed address (which means that the sender in the "From" field is most likely not the
real sender). The worm may use the address admin@internet.com as the sender.
* Re: Details
* Re: Approved
* Re: Re: My details
* Re: Thank you!
* Re: That movie
* Re: Wicked screensaver
* Re: Your application
* Thank you!
* Your details
Body:
* See the attached file for details
* Please see the attached file for details.
Attachment:
* your_document.pif
* document_all.pif
* thank_you.pif
* your_details.pif
* details.pif
* document_9446.pif
* application.pif
* wicked_scr.scr
* movie0045.pif
NOTE: The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
Definitions for this worm were posted via LiveUpdate and Intelligent Updater on August 19th. Additional technical
details and a removal tool for this worm may be found at - http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
W32.Welchia.Worm Update
Current Submission numbers - 305 total, 42 corporate.
Because W32.Welchia.Worm and W32.Blaster.Worm use the same vulnerability, DeepSight cannot differentiate the infections
at this time. (Total number of infected systems for both these worms is currently 630,000.) Symantec Security Response
has received confirmation that large enterprise customers are still being impacted greatly by this worm internally. The
clean-up period will be at least weeks to months before systems are repaired.