The latest Sobig worm (variant F) is spreading quickly.
It hides the sender by spoofing the from address. The worm
is compressed using the TELock compression file packer,
and is 70KB in size. The worms attachment is made polymorphic
by appending random text to the end of the file. Sobig.F
will stop spreading on 9 September. The worm installs a
copy in the windows folder as winppr32.exe, and writes
to the run registry. InVircible intercepts the worm's
attachment by both bogus file naming (where it has a double
extension name), and as suspicious PE code, where the file
name is "legit".
Subject:
Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Message body:
Remains the same:
"Please see the attached file for details."
Attachment:
Includes the following names:
your_document.pif
details.pif
your_details.pif
thank_you.pif
movie0045.pif
document_Fall.pif
application.pif
document_9446.pif
Back
