Updated 27th June 2003
The first 'Sobig' worm appeared in May '03. To this date
(end of June), there are four variants of which only two
still do spread, Sobig.D and E. A common characteristic
of all variants, so far, is that they stop spreading at
a predetermined date. The E variant is programmed to desist
on July 14.
Distribution: The Sobig worms are mass-mailers,
distributed as e-mail attachment, using a PIF extension,
and pretending to be sent from support@microsoft.com, while
the c variant mimics bill@microsoft.com as sender.
When the attachment is opened, the worm attempts to install
its driver to Windows' startup queue, as Msccn32.exe,
mscvb32.exe, winssk32.exe, & cftrb32.exe
. The attempt is blocked by InVircible. On an infected PC,
the worm copies itself to all shared resources where there
is "write" permission.
Back
