FRISK Virus Alert: W32/Sobig.C@mm

Discussion in 'malware problems & news' started by Marianna, Jun 1, 2003.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Apr 23, 2002
    B.C. Canada
    This is a virus alert for W32/Sobig.C@mm, a new mass-mailing
    worm first detected on 31 May 2003.

    W32/Sobig.C distributes both via e-mail messages pretending
    to be from "" and open network

    Due to its distribution W32/Sobig.C@mm is estimated to be
    medium risk.
  2. Longthing

    Longthing Registered Member

    Jul 27, 2002
    No definitions yet for Norton AV. For those who can't wait there are Beta definitions at

    These definitions are not fully tested.
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Hi Longthing, :)

    They should be in the upcoming Live Update for today.

    Due to an increased rate of submissions, Symantec Security Response has upgraded W32.Sobig.C@mm from a Category 2 to a Category 3 as of June 1, 2003

    Beta Virus Definitions May 31, 2003

    Virus Definitions (Intelligent Updater) June 01, 2003

    Virus Definitions (LiveUpdate™) June 01, 2003


  4. Longthing

    Longthing Registered Member

    Jul 27, 2002
    When i posted the reply the update was stil planned for june 2. Good to see they come with the update today;)
  5. Andreas1

    Andreas1 Security Expert

    Jan 29, 2003
    Mainz (Ger)
    well, in my experience (from last night), the sender is *not* always bill...
    It seems that te worm also fakes senders from the pool of harvested email adresses.
    (I got notice that i've been infected, sending the worm out when i wasnt - from a person who isn't infected either but who figures as From: value in a worm mail i've received. So someone we both know must be the one who's infected... Mail hops are not easily parsed/evaluated (no simple pattern i mean))

    BTW, NOD caught those nasties.

  6. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    Free cleaner, courtesy Paolo Monti/Eset Italy; have a look over here :cool:


  7. Longthing

    Longthing Registered Member

    Jul 27, 2002
    Youre right. Got one to day, intercepted by Nod. Sender was a e-mailadres
  8. FanJ

    FanJ Guest

    Quote from the Kaspersky newsletter June 03, 2003
    "Sobig" Is Back!
    A new version of the network worm "Sobig" has been detected - Sobig.c.
    Already there have been numerous registered infections from the new
    version of this malicious program.

    >From the time of the first appearance of the "Sobig" worm in mid January
    2003 three versions have been identified and indexed as 'A', 'B' and
    'C'. In the May compilation of the twenty most widespread viruses
    ( Sobig has managed to
    confidently outpace such infamous titans as "Klez" and "Lentin" (aka

    The "Sobig" worm spreads itself via e-mail in the form of a file
    attachment as well as over local area networks. To spread over LANs
    Sobig copies itself to shared network drives, while via e-mail the worm
    scans infected computers for files containing e-mail addresses and then
    clandestinely sends copies of itself to the found addresses. To draw
    users into launching the file attachment containing the infected code,
    "Sobig" employs various social engineering techniques, among which is a
    message disguised as a technical support message sent from Microsoft.

    Of the collateral effects caused by Sobig, it is essential to note the
    worm's ability to download and install from a remote Web-servers updated
    versions of itself as well as to impregnate infected systems with
    spyware programs.

    "Sobig.b" (aka "Palyh") essentially breathed new life into the worm and
    is the main reason Sobig was able to rise to the highest position in
    May's accounting of the most widespread virus programs. Still, this
    version's code contains a time trigger: if the system date on an
    infected computer surpasses May 31, the worm automatically shuts down
    all its functions except for its ability to download additional files.
    This characteristic fundamentally doomed "Sobig.b" as the web-server
    from which it retrieves its updates has been closed down.

    "Sobig.c", the worm's newest version is virtually identical to its
    predecessors, though it is operable only until June eighth, after which
    it is diffused. "One gets the impression that the creation of 'doomed
    worms' is somehow a trait of the virus author's particular style;
    unfortunately the whereabouts of this author are not yet known,"
    commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky
    Labs. "Perhaps we can assume that the next array of worms to appear in
    this 'Never-ending Story' will be active only until June 16, 23, 30

    Most reputable anti-virus companies have already added the fix for
    "Sobig.c" to their anti-virus databases. To avoid the unpleasantries of
    infection it is advisable to update your anti-virus software's database.

    More detailed information about all three "Sobig" versions can be found
    in the Kaspersky Virus Encyclopedia at the addresses listed below:

    Sobig.a -
    Sobig.b(aka Palyh)-
    Sobig.c -
  9. Longthing

    Longthing Registered Member

    Jul 27, 2002
    Just received the newsletter too. :D
  10. FanJ

    FanJ Guest

  11. FanJ

    FanJ Guest

    Again a quote from the Kaspersky newsletter June 04, 2003
    "Sobig" Worm Possibly Aided By Spamming Techniques
    As has been reported by Kaspersky Labs
    (, a new
    modification of the "Sobig" network worm, "Sobig.c" has been spreading
    across the Internet. After examining the situation, Kaspersky Labs
    believes there is a strong possibility that the virus' creators used
    spamming technology to mass mail the "Sobig.c" worm.

    Network worms differ from other malicious programs with their ability to
    automatically propagate (deliver infected messages, attack P2P networks,
    local area networks etc.). The situation with "Sobig.c" appears to be
    the first time these functions were fortified by mass mailing
    technology. As such, the use of this technology would explain how the
    "Sobig" worm family instantly jumped to first place in May's list of the
    most widespread virus programs.

    Under this conclusion it is possible to state a few facts: Firstly, the
    spreading methods used by the "Sobig" worm are not effective enough to
    cause such a large number of infections in such a short period of time.
    Secondly, the overwhelming majority of the infected messages being sent
    out do not use the address as stipulated in the
    worm's code, but rather other falsified addresses. Finally, detailed
    analysis of the IP-addresses at the source of "Sobig.c" mailings
    confirms the high probability of the use of spamming technology.

    It is doubtful that spammers decided to expand their business to include
    the anonymous mailing of infected messages. Likewise doubtful would be
    virus creators using for hire spamming services that would have cost up
    to several thousand US dollars. For even the most obsessed virus writer
    this amount would almost surely be prohibitive. On the other hand, it
    should be noted that the computer underground have perfected the art of
    covering their tracks. They masterfully use anonymity and the
    extraterritoriality of the worldwide Web to hide their illegal

    "It is possible that virus writers actually decided to quench their
    irrational thirst to destroy with the help of spamming technology",
    commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky
    Labs. The consequences of this symbiosis are hard to over estimate.
    Using "spamesque" mass mailings can tremendously increase the speed by
    which worms spread and the geographic territory covered. This
    technological integration could provoke global flood-attacks on the
    Internet (such as happened with 'Slammer') that could lead to the
    lowering of the networks productivity and even result in its
    decomposition into disconnected segments.

    "It is possible to simply blame the evil geniuses who thought up this
    method of network attack. On the other hand one should look at the
    situation objectively; naturally in the environment of complete chaos
    and total anonymity that reigns over the Internet, certain people are
    not able to resist the temptation to commit cyber hooliganism", injected
    Eugene Kaspersky. According to Kaspersky Labs' research, the overriding
    factor motivating the overwhelming majority of virus creators to
    practice their craft is impunity. If they would be confident in the
    eventuality of being punished for committing unlawful acts, by far the
    majority of virus creators would simply cease to commit their crimes.
    This reality once more confirms the urgency to establish additional
    Internet security measures or to create a parallel, protected network to
    be used exclusively for business communications.
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Security experts did agree that computer users should be ready for a new version of the Sobig virus this weekend.
    The Sobig.C variant is programmed to expire on June 8 and Sobig.C was released on the same day that its predecessor, Sobig.B, was programmed to stop spreading.
    The serial releases may be an effort by the Sobig author to fool antivirus software by subtly altering the makeup of the virus. Alternatively, the author could be releasing "proof of concept" viruses, testing the success of different viruses depending on when and how they are distributed, according to Sunner and Belthoff.

Thread Status:
Not open for further replies.