Like its predecessors, Sobig.D sends itself out via e-mail to all the e-mail addresses in files with TXT, EML, HTM*, DBX and WAB extensions it finds on the affected computer, using its own SMTP engine in order not to leave any traces of its actions. The subjects and attached files in the e-mail message carrying the worm use what has been dubbed social engineering to trick the user into opening it. These are selected from a list of options, which can be consulted at Panda.
Sobig.D can also spread across local networks. In order to do this, it copies itself to the Windows startup directories in the computers connected to the same network as the affected computer.
Finally, Sobig.D creates several entries in the Windows Registry in order to ensure it is run whenever the computer is started up.