The W32/Sobig.E@MM Virus Spreads Steadily; Forges Its "From:" Field

This information can be freely reproduced in any medium, as long as the information is unmodified.

The Sobig virus family affects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, see plenty of infected email from Sobig.E, in particular, so its "annoyance factor" is large.

• The first Sobig variant (W32/Sobig.A) was discovered in January 2003; the second variant, W32/Sobig.B (a.k.a. Palyh a.k.a. Mankx) appeared on 18 May, 2003. Both of these variants were no particular problem -- although both forged their "From:" address, they were easy to prevent at the email gateway.

  W32/Sobig.C, discovered 31 May, 2003, was a much larger problem, but it was programmed to stop spreading on 8 June, 2003. W32/Sobig.D was a flop, but W32/Sobig.E seems to be having some success.

• U-M Windows users who have VirusScan installed and updating itself automatically have been protected against Sobig.A since 15 January 2003, and against Sobig.B since 18 May, 2003. VirusScan protected against Sobig.C on 31 May, 2003, and against Sobig.D as soon as it appeared.

On 25 June, 2003, the W32/Sobig.E virus was discovered; our antivirus vendor provided us with a fix early that afternoon -- the 4273 drivers. We made this solution available, within about half an hour of its release. In fact, VirusScan protected our users since the 4266 drivers were released Wednesday May 21, 2003 although these drivers used "heuristic techniques" to recognize the variants released previously (this recognition was fuzzy, of course but sufficient to protect us well in advance). The 4273 drivers accurately identify Sobig.E as "W32/Sobig.E@MM"

We haven't seen a lot of copies of Sobig.E here at the University, but it definitely is out "In The Wild" to at least a moderate degree.

The main features of Sobig.E are these:

• It forges its From: field, so that recipients of email with Sobig.E-infected attachments seem to get it from someone who was not the actual sender (and is not the real Sobig.E victim)

• The text always is merely

      Please see the attached zip file for details.
  

  Obviously, you should not attempt to open the attachment.... But then again, you never should open unsolicited attachments -- not even when they appear to be from someone you know and trust.

• Not surprisingly, the virus sends its infected attachment in a ZIPfile. Initial reports suggested that the filename was random, but it now appears that it may always be named one of a very few things. We've see your_details.zip only, so far. Sometimes, however, the attachment will have an extension of .zi instead of .zip

• The Subject: line will be one of the following:
  • Re: Application
  • Re: Movie

• Sobig.E will scavenge the victimized computer for text that looks like email addresses, and forge email as if it were from those addresses as well. Hence if you get email from an address you recognize but it contains an unexpected attachment, BEWARE!: Sobig.E probably forged the address and sent you an infected attachment. Don't be fooled!

• Sobig.E is programmed to stop replicating on 14 July, 2003.

• Sobig.E can spread via open network shares. I recommend that you disable File and Print Sharing, or at least password protect all shared resources.

1. Person A's computer gets infected

2. Sobig.E harvests email addresses, including addresses for persons B and C

3. Sobig.E sends email from A's computer, using a From: address of person B, and a To: address of person C.

4. Person C's antivirus software notices that the email "from" person B is infected, so C emails B to warn him or her.

5. Person B scans his or her computer and finds no virus; person B is very confused.

What should you do if:

• If know you are infected by Sobig.E?

  Easy: disinfect with current, top quality antivirus software. University folks can get such software here.

  There is an excellet tool for doing this -- it also handles a fair number of other viruses that are particularly nasty. It's NAI's free! Stinger tool (leaving our site). If you use Stinger, be sure to follow all the instructions they provide -- in particular, booting in Safe Mode and, if you use WinME or WinXP, disabling System Restore. Otherwise, you'll be wasting time and effort.

  Also, note that while Stinger removes a few nasty viruses, it does NOT detect most of the 73000+ viruses known to exist -- nor does it protect you from getting reinfected. For that, you must use normal antivirus software.

  One more time: Stinger is for detection and removal only, not protection.

• You receive email you suspect is infected with Sobig.E -- or other viruses, for that matter?

  That's up to you; for suggestions, see our What to do with suspicious email document.

• You receive email that you are sending Sobig.E-infected email?

  This is a bit more involved:

  1. First, you probably are not infected, particularly if you are getting email from the recipient or from some automated announcement system: most of these alerts are well intentioned, but they do not check the full email headers to see who the real sender is.

     [Of course, if you get email from us that you are infected, or from others who ought to know, then there is a much higher chance that your computer is infected. But everyone makes mistakes, so it's not a sure thing!]

  2. Nonetheless, you should check that your computer has top quality antivirus software installed, and that it is current, and that you do not have any viruses on your machine.

  3. Assuming that you have no viruses on your computer, you may want to ask the sender of the alert for more information. In particular, you'll need full email headers; when you receive them, pass this information along to your competent antivirus support personnel. Better yet, Cc: those support folks in your original request, and ask that the full headers, etc., be sent to the support personnel directly.

     U-M folks: you can request that this information be sent to the U-M Virus Busters Team, of course.

  For technical info on Sobig.E, see e.g. Network Associates write-up on Sobig.E (leaving our site) or F–Secure's write up (leaving our site).

The URL for this document is http://www.umich.edu/~virus-busters/sobig-e.html

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB