From Symantec: "W32.Sobig.D@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in files with the following extensions: .wab .dbx .htm .html .eml .txt The email falsely purports that it is sent by firstname.lastname@example.org Email Routine Details The email message has the following characteristics: From: email@example.com (NOTE: W32.Sobig.D@mm spoofs this field. It could be any address.) Subject: The subject line will be one of the following: Re: Documents Re: App. 00347545-002 Re: Movies Application Ref: 456003 Re: Your Application (Ref: 003844) Re: Screensaver Re: Accepted Your Application Message Body: See the attached file for details Attachment: The attachment name will be one of the following: Document.pif app003475.pif movies.pif ref_456.pif Application844.pif Screensaver.scr Accepted.pif Applications.pif Application.pif NOTE: The worm de-activates on July 2, 2003, and therefore, the last day on which the worm will spread is July 1, 2003. Also Known As: I-Worm.Sobig.gen [KAV], W32/Sobig [McAfee] Type: Worm Infection Length: 57,856 bytes Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me When W32.Sobig.D@mm is executed, it performs the following actions: 1. Copies itself as %Windir%cftrb32.exe. NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and copies itself to that location. 2. Creates the following files to store an internal configuration data: %Windir%dftrn32.dat %Windir%rssp32.dat 3. Adds the value: "SFtrb Service"="%Windir%cftrb32.exe" to the registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun so that W32.Sobig.D@mm runs when you start Windows. 4. If the operating system is Windows NT/2000/XP, then the worm will also add the value: "SFtrb Service"="%Windir%cftrb32.exe" to the registry key: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun 5. Counts the Network Resources and copies itself to the following folders: WindowsAll UsersStart MenuProgramsStartUp Documents and SettingsAll UsersStart MenuProgramsStartup 6. Attempts to download data from particular Web pages. W32.Sobig.D@mm is also network-aware. It counts the network resources and copies itself to the following folders on other computers to which it has access: WindowsAll UsersStart MenuProgramsStartUp Documents and SettingsAll UsersStart MenuProgramsStartup" For more information go here: http://www.symantec.com/avcenter/ Regards, Jade.