Symantec Security Response continues to monitor Sobig.F. With the payload set to trigger today - Friday, Aug. 22
(Backdoor Trojan), Symantec Security Response has upgraded the threat to a level 4 on a scale of 1-5, with five being
the most serious.
To help put this threat in perspective, the following may be of use to you:
· Klez.H -- At its peak, Symantec Security Response recorded 4,516 submissions per day. This threat peaked two weeks
after it was discovered.
· BugBear.B -- At its peak, Symantec Security Response recorded 4,812 submissions per day. This threat peaked two days
after it was discovered.
· BadTrans -- At its peak, Symantec Security Response received 3,709 submissions per day. This threat peaked seven days
after it was discovered
"While Blaster and Welchia primarily impacted large enterprises, Sobig.F is predominately affecting consumers and small
businesses," said Richard Batchelar, Country Manager, Symantec New Zealand. "Computer users should be reminded of
computer security best practices and should not open attachments unless they are expecting them."
W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the
files with the following extensions:
.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt
The worm utilises it's own SMTP engine to propagate and will attempt to create a copy of itself on accessible network
shares. The email will have a Spoofed address (which means that the sender in the "From" field is most likely not the
real sender). The worm may use the address admin@internet.com as the sender.
The worm has a payload which outlines that according to UTC time, the day of the week must be Friday or Sunday and the
time of day must be between 7pm and 10pm UTC (making it 7am to 10am on Saturday or Monday in New Zealand). During the
payload, the author of the virus may download various files - including confidential information such as passwords. The
author can also set up spam relay servers on infected computers and send out information to an undefined address. The
virus deactivates on September 10, 2003. The worm de-activates on September 10, 2003. The last day on which the worm
will spread is September 9, 2003.
Additional technical details and a removal tool for this worm may be found at - http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
Although Symantec Security Response is receiving approximately 1,800 submissions per day, Symantec's experts are not
seeing the level of activities of past threats.
ENDS