- Sobig (computer worm)
The Sobig Worm was a
computer worm that infected millions ofInternet -connected,Microsoft Windows computers in August2003 .Although there were indications that tests of the worm were carried out as early as August
2002 , Sobig.A was first found in the wild in January2003 . Sobig.B was released on May 2003. It was first called "Palyh", but was later renamed to Sobig.B afteranti-virus experts discovered it was a new generation of Sobig. Sobig.C was releasedMay 31 and fixed the timing bug in Sobig.B. Sobig.D came a couple of weeks later followed by Sobig.E inJune 25 . OnAugust 19 , Sobig.F became known and set a record in sheer volume of e-mails.The worm was most widespread in its "Sobig.F" variant.
Sobig is a
computer worm in the sense that it replicates by itself, but also a Trojan horse in that it masquerades as something other thanmalware . The Sobig worm will appear as anelectronic mail with one of the following subjects:* Re: Approved
* Re: Details
* Re: Re: My details
* Re: Thank you!
* Re: That movie
* Re: Wicked screensaver
* Re: Your application
* Thank you!
* Your detailsIt will contain the text: "See the attached file for details" or "Please see the attached file for details." It also contains an attachment by one of the following names:
* application.pif
* details.pif
* document_9446.pif
* document_all.pif
* movie0045.pif
* thank_you.pif
* your_details.pif
* your_document.pif
* wicked_scr.scrTechnical details
The Sobig viruses infect a host computer by way of the above mentioned attachment. When this is started they will replicate by using their own
SMTP agent engine. E-mail addresses that will be targeted by the virus are gathered from files on the host computer. Thefile extension s that will be searched for e-mail addresses are:* .dbx
* .eml
* .hlp
* .htm
* .html
* .mht
* .wab
* .txtThe Sobig.F variant was programmed to contact 20 IP addresses on UDP port 8998 on
August 26 ,2003 to install some program or update itself. It is unclear what this program was, but earlier versions of the virus had installed the WinGateproxy server software - a legitimate product - in a configuration allowing it to be used as a backdoor for spammers to distribute unsolicited e-mail.The Sobig worm was written using the Microsoft Visual C++ compiler, and subsequently compressed using a data compression program called
tElock .The Sobig.F worm deactivated itself on
September 10 , 2003. OnNovember 5 the same year,Microsoft announced that they will pay $250,000 for information leading to the arrest of the creator of the Sobig worm. To date, the perpetrator has not been caught.ee also
*
Notable computer viruses and worms External links
* [http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html Information on Sobig from Symantec]
* [http://www.lurhq.com/sobig-e.html A detailed analysis of how sobig works]
* [http://authortravis.tripod.com Who wrote SoBig? - an analysis of who probably wrote sobig (names names)]
Wikimedia Foundation. 2010.