The W32/Sobig.C@MM Virus Spreads Rapidly; Forges Its From: Field

This information can be freely reproduced in any medium, as long as the information is unmodified.

The Sobig virus family affects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, see plenty of infected email from Sobig.C, in particular, so its "annoyance factor" is large.

• The first Sobig variant (W32/Sobig.A) was discovered in January 2003; the second variant, W32/Sobig.B (a.k.a. Palyh a.k.a. Mankx) appeared on 18 May, 2003. Both of these variants were no particular problem -- although both forged their "From:" address, they were easy to prevent at the email gateway.

• U-M Windows users who have VirusScan installed and updating itself automatically have been protected against Sobig.A since 15 January 2003, and against Sobig.B since 18 May, 2003.

On 31 May, 2003, the W32/Sobig.C virus was discovered; our antivirus vendor provided us with a temporary fix (an "extra.dat" file) on 1 June, 2003 in the afternoon, and with an automatic update (the 4268 drivers) in the early evening. We made both these solutions available, each within about an hour of their respective releases. In fact, VirusScan protected our users since the 4267 drivers were released Wednesday 28 May, 2003, although the 4267 drivers identifed the problem as "Sobig.dam", since it thought it was examining a damaged version of the virus. The 4268 drivers identify the virus as "W32/Sobig.c@MM"

Later in the day on 1 June, the Sobig.C variant began to spread rapidly world-wide. This is the only variant of Sobig to date that has been any sort of problem at the University... but it is out "In The Wild" in a very big way.

The main features of Sobig.C are these:

• It forges its From: field, so that recipients of email with Sobig.C-infected attachments seem to get it from someone who was not the actual sender (and is not the real Sobig.C victim)
  • It has one address hard-coded into the virus itself -- bill@microsoft.com. If you get a message from this address, Bill Gates is NOT sending you email....

  • Sobig.C also will scavenge the victimized computer for text that looks like email addresses, and forge email as if it were from those addresses as well. Hence if you get email from an address you recognize but it contains an unexpected attachment, BEWARE!: Sobig.C probably forged the address and sent you an infected attachment. Don't be fooled!

• The text always is merely

        Please see the attached file.
  

  Obviously, you should not attempt to open the attachment.... But then again, you never should open unsolicited attachments -- not even when they appear to be from someone you know and trust.

• The Subject: line will be one of the following:

  • Approved
  • Re: 45443-343556
  • Re: Application
  • Re: Approved
  • Re: Movie
  • Re: Screensaver
  • Re: Submited (004756-3463)
  • Re: Your application

  Obviously, these subjects are a warning.

• Sobig.C can spread via open network shares. I recommend that you disable File and Print Sharing, or at least password protect all shared resources.

• After 8 June, the virus will stop propagating -- though it still will infect an original host if given a chance. But even after that date, you'll want to get rid of it as soon as possible.

  Probably we can expect Sobig.D around 8 June, and who knows what joys it will bring....

1. Person A's computer gets infected

2. Sobig.C harvests email addresses, including addresses for persons B and C

3. Sobig.C sends email from A's computer, using a From: address of person B, and a To: address of person C.

4. Person C's antivirus software notices that the email "from" person B is infected, so C emails B to warn him or her.

5. Person B scans his or her computer and finds no virus; person B is very confused.

What should you do if:

• If know you are infected by Sobig.C?

  Easy: disinfect with current, top quality antivirus software. University folks can get such software here.

• You receive email you suspect is infected with Sobig.C -- or other viruses, for that matter?

  That's up to you; for suggestions, see our What to do with suspicious email document.

• You receive email that you are sending Sobig.C-infected email?

  This is a bit more involved:

  1. First, you probably are not infected, particularly if you are getting email from the recipient or from some automated announcement system: most of these alerts are well intentioned, but they do not check the full email headers to see who the real sender is.

     [Of course, if you get email from us that you are infected, or from others who ought to know, then there is a much higher chance that your computer is infected. But everyone makes mistakes, so it's not a sure thing!]

  2. Nonetheless, you should check that your computer has top quality antivirus software installed, and that it is current, and that you do not have any viruses on your machine.

  3. Assuming that you have no viruses on your computer, you may want to ask the sender of the alert for more information. In particular, you'll need full email headers; when you receive them, pass this information along to your competent antivirus support personnel. Better yet, Cc: those support folks in your original request, and ask that the full headers, etc., be sent to the support personnel directly.

     U-M folks: you can request that this information be sent to the U-M Virus Busters Team, of course.

  For technical info on Sobig.C, see e.g. Network Associates write-up on Sobig.C (leaving our site) or F–Secure's write up (leaving our site).

The URL for this document is http://www.umich.edu/~virus-busters/sobig-c.html

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB