Yesa damm fucken virus has many names
W32.Sobig.F@mm
W32.Dumaru@mm
W32.Welchia.Worm
W32.Blaster.Worm
Backdoor.Winshell.50
W32.Mimail.A@mm
W32.Mumu.B.Worm
W32.Sobig.E@mm
W32.Femot.Worm
W32.Bugbear.B@mm
Bat.Mumu.A.Worm
W32.Sobig.C
W32.Sobig.B
and mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:
.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt
.pif
The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.
Email routine details
The email message has the following characteristics:
From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address,
[email protected], as the sender.
NOTES:
The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.
Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details
Body of email indicates:
See the attached file for details
Please see the attached file for details.
Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x