Main Page | See live article | Alphabetical index

Sobig worm

The Sobig Worm was a computer worm that infected millions of Internet-connected, Microsoft Windows computers in August 2003.

Even if there were some indications that tests of the worm were being carried out as early as August 2002, Sobig.a was first found in the wild in January 2003. Sobig.b was released on May 2003. It was first called Palyh, but was later renamed to Sobig.b after anti-virus experts discovered it was a new generation of Sobig. Sobig.c was released May 31 and fixed the timing bug in Sobig.b. Sobig.d came a couple of weeks later followed by Sobig.e in June 25. On August 19, Sobig.f became known and set the record in sheer volume of e-mails.

The worm was most widespread in its "f" variant "Sobig.f", which followed earlier and less destructive "a" through "e" variants.

Sobig is a computer worm in the sense that it replicates by itself, but also a Trojan horse as it masquerades as something different than a virus. The Sobig worm will appear as a electronic mail with one of the following subjects:

And will contain the text: "See the attached file for details" or "Please see the attached file for details." It also contains an attachment by one of the following names:

Table of contents
1 Technical Details
2 See Also
3 External Links

Technical Details

The Sobig viruses infect a host computer by way of the above mentioned attachment. When this is started they will replicate by using their own SMTP agent engine. Email adresses that will be targeted by the virus is gathered from files on the host computer. The file extensions that will be searched for email adresses are:

The Sobig.F variant was programmed to contact 20 IP addresses on UDP port 8998 on August 26, 2003 to install some program or update itself. It is unclear what this program was, but earlier versions of the virus had installed the Wingate proxy server software, a backdoor often used by spammers to distribute unsolicited email. (I.e. created by a spacker.)

The Sobig worm was written using the Microsoft Visual C++ compiler, and subsequently compressed using a data compression program called tElock.

The Sobig.F worm deactivated itself on September 10, 2003. On November 5 the same year, Microsoft announced that they will pay $250.000 for information leading to the arrest of the creator of the Sobig worm.

See Also

External Links