| |
Sobig.D does not have any destructive effects. The main effect of this worm is that it sends itself out to all the e-mail addresses in the files it finds on the affected computer with the following extensions: TXT, EML, HTM, HTML, DBX and WAB.
|
| |
Sobig.D spreads via e-mail and across networks. 1- Transmission via e-mail:
In order to spread via e-mail, Sobig.D follows the routine below: - It looks for e-mail addresses in all the files it finds with the following extensions:
TXT, text files.
EML, Outlook messages.
HTM* web pages.
DBX, secure e-mail messages.
WAB, Windows Address Book. - It sends itself out to these addresses in an e-mail message with the following characteristics. In order to do this, it uses its own SMTP engine.
Sender:
Sobig.D creates a false address which appears as the sender of the e-mail message. This can cause confusion. For more information, click here.
Subject:
Application Ref: 456003
Your Application
Re: Movies
Re: Your application
Re: Documents
Re: App. 00347545-002
Re: Your Application (Ref: 003844)
Re: Screensaver
Re: Accepted
Message:
See the attached file for details.
Attachments:
ACCEPTED.PIF
APP003475.PIF
APPLICATION.PIF
APPLICATION844.PIF
APPLICATIONS.PIF
DOCUMENT.PIF
MOVIES.PIF
REF_456.PIF
SCREENSAVER.SCR
2- Transmission via networks: If the system date is earlier than July 2, 2003, this worm also spreads across networks. Sobig.D checks if it is connected to a network and if it is, Sobig.D copies itself to the following directories in the rest of the computers in the network: \Windows\ All Users\ Start Menu\ Programs\ StartUp\
\Documents and Settings\ All Users\ Start Menu\ Programs\ Startup\
These are Windows Start directories and as a result, when Sobig.D has copied itself to these directories, it will be run whenever the computer is started up. |
Last updated:
June 19, 2003