Sobig.B Worm is Spreading at an Alarming Rate
Posted on 19.05.2003
F-Secure is raising the alert to the highest level as Sobig.B infections have been reported from over 80 countries worldwide.

Sobig.B (also known as Palyh or Mankx) was first seen on Sunday, 18th of May. Since then it has been spreading at an increasing pace. Largest infections seem to be in UK and USA.

The worm spreads via e-mail attachments and Windows network shares. The e-mails sent by the worm pretend to come from support@microsoft.com and they contain the message text "All information is in the attached file".

"It's important to remember that Microsoft's support department never sends out attachments", explains Mikko Hypponen, Manager of Anti-Virus Research at F-Secure.

The worm collects e-mail addresses from various files on the infected computer and sends the infected e-mails with variable subjects, content, filenames and file sizes.

"The attachments sent by the worm are PIF executables - normal users really never send this types of files", continues Hypponen. "Corporate companies should simply filter all PIF attachments at gateway level. Home users can use their Delete buttons instead".

In addition to the e-mail spreading, Sobig.B will search for Windows machines within the infected Local Area Network and will try to copy itself to their Startup folder. This will fail unless users are sharing their Windows directories with write access - a thing that should never be done.

After spreading, Sobig.B will try to download additional code from a web pages located at Geocities.com and run it. "There's been speculation that the Sobig.A virus was used by spammers to create anonymous gateways for sending spam e-mail messages", says Hypponen. "Perhaps that was the intention with Sobig.B too". F-Secure has been in touch with various security response organizations and has received confirmation from Geocities that the pages used by the worm have been closed.

The Sobig.B worm won't spread for long. It has been programmed to stop spreading on the 31st of May, 2003 - roughly in two weeks time. It will still continue to send infected e-mails from machines that have their clock set wrong.

More information on the Sobig.B virus is available from the "Global Sobig.B Virus Information Center", available online at http://www.f-secure.com/sobig/

The page includes technical descriptions, images and real-time statistics on the worm. F-Secure is also developing a free tool, which will clean Sobig.B - infected machines. The tool will be posted to this Information Center when it has been released.

F-Secure Anti-Virus can detect, stop and disinfect the Sobig.B worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com





Spotlight

Patching: The least understood line of defense

Posted on 29 August 2014.  |  How many end users, indeed how many IT pros, truly get patching? Sure, many of us see Windows install updates when we shut down our PC and think all is well. Itís not.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 2nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //