QUICK LINKS Solution
--------------------------------------------------------------------------------
Virus type: Worm
Destructive: No
Aliases: Win32.HLLM.Reteras, W32.Sobig.F@mm, W32/Sobig.f@MM, Sobig.F, Win32.Sobig.F, W32/Sobig-F, I-Worm.Sobig.f
Pattern file needed: 617
Scan engine needed: 6.100
Overall risk rating: Medium
--------------------------------------------------------------------------------
Reported infections: Medium
Damage Potential: High
Distribution Potential: High
--------------------------------------------------------------------------------
Description:
TrendLabs has received several infection reports of this mass-mailing worm from Norway and Spain. As of 12:19 PM GMT, Trend Micro has declared a Medium Risk alert to control the spread of this malware.
This worm propagates by mass-mailing copies of itself using its own Simple Mail Transfer Protocol (SMTP) engine. It collects email addresses from files with the following extensions:
DBX
HLP
MHT
WAB
HTML
HTM
TXT
EML
It sends out email messages with the following details:
Subject: <any of the following:>
Re: Thank you!
Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Your details
Message body: <any of the following:>
See the attached file for details.
Please see the attached file for details.
Attachment: <any of the following:>
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
It may spoof the FROM field using email addresses found on the infected machine so that its email messages appear to originate from one source but was actually sent from another.
This worm deactivates its propagation routine on September 10, 2003.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Reply With Quote