W32.Sobig.F@mm upgraded to Level 4 (severe)
Symantec Security Response continues to monitor Sobig.F. With the payload set to trigger today - Friday, Aug. 22 (Backdoor Trojan), Symantec Security Response has upgraded the threat to a level 4 on a scale of 1-5, with five being the most serious.
To help put this threat in perspective, the following may be of use to you:
· Klez.H -- At its peak, Symantec Security Response recorded 4,516 submissions per day. This threat peaked two weeks after it was discovered.
· BugBear.B -- At its peak, Symantec Security Response recorded 4,812 submissions per day. This threat peaked two days after it was discovered.
· BadTrans -- At its peak, Symantec Security Response received 3,709 submissions per day. This threat peaked seven days after it was discovered
"While Blaster and Welchia primarily impacted large enterprises, Sobig.F is predominately affecting consumers and small businesses," said Richard Batchelar, Country Manager, Symantec New Zealand. "Computer users should be reminded of computer security best practices and should not open attachments unless they are expecting them."
W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the files with the following extensions:
.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt
The worm utilises it's own SMTP engine to propagate and will attempt to create a copy of itself on accessible network shares. The email will have a Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may use the address admin@internet.com as the sender.
The worm has a payload which outlines that according to UTC time, the day of the week must be Friday or Sunday and the time of day must be between 7pm and 10pm UTC (making it 7am to 10am on Saturday or Monday in New Zealand). During the payload, the author of the virus may download various files - including confidential information such as passwords. The author can also set up spam relay servers on infected computers and send out information to an undefined address. The virus deactivates on September 10, 2003. The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
Additional technical details and a removal tool for this worm may be found at - http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
Although Symantec Security Response is receiving approximately 1,800 submissions per day, Symantec's experts are not seeing the level of activities of past threats.
ENDS