We have reports of a new worm called W32/SoBig.B (originally named W32/Palyh) which is in the wild, i.e., reported to be infecting a good number of computers. This worm arrives as an e-mail attachment and requires users to run the executable. The worm sends itself by e-mail and propagates through network shares only on dates prior to 5/31/2003
Subject line:
The subject is randomly selected from the following list:
Re: My application
Re: Movie
Cool screensaver
Screensavers
Re: My details
Your password
Re: Approved (Red. 3394-65467)
Approved (Ref. 38446-263)
Your details
Message body:
All information is in the attached file.
Attachment filename:
Makes use of the following file names:
approved.pif
ref-394755.pif
password.pif
ref-394755.pif
application.pif
screen_doc.pif
screen_temp.pif
movie28.pif
download1053122425102485703.uue
doc_details.pif
_approved.pif
Attachment size:
52,898 bytes
If the user runs the executable, the worm sends infected emails to addresses found in the .dbx, .htm, .html, .eml and .txt files. W32/SoBig.B, which is a variant of SoBig.A, will also use its own SMTP routines for propagation and spreads through network shares by copying itself to the following locations on computers with network shares enabled:
- "Documents and Settings\All Users\Start Menu\Programs\Startup\"
- "Windows\All Users\Start Menu\Programs\StartUp\"
Severity:
Tries to download an updated version of the worm or other malware software from a remote site.
Avoidance Action:
Make sure your virus definition files are up-to-date. Block all incoming and outgoing .exe, .pif, .com, .scr files.
For more updated information: http://www.gfi.com/security
References:
http://www.norman.com/virus_info/w32_palyh_a_mm.shtml
http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=86
http://vil.nai.com/vil/content/v_100307.htm
About GFI
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. GFI has offices in the US, Malta, UK, Hong Kong and Australia which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners worldwide. GFI is a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.
All product and company names herein may be trademarks of their respective owners.
| 
Products
