Home || Contact || About || Portfolio || Grok || Terms || Accounts || Directory || Link || Site Index || Library || Help
Bizgrok logo

H E L P  &  T E C H   S U P P O R T

Use these links for brief descriptions of the three major worms, links to more detailed descriptions, and instructions on patches to fix these issues. Although we are making every effort to combat the effect of these worms, we need to ask for your help. We need you to patch your machines to reduce and hopefully eliminate the effects of these worms.

W32.Sobig.F@mm Worm

W32.Sobig.F@mm is a mass-mailing worm that sends itself to all the email addresses it finds in the files that have the following extensions, .dbx, .eml, .hlp, .htm, .html, .mht, .wab, and .txt. This worm affects only Windows computers, not Mac, Linux, or Unix systems. Sobig.f has a built-in termination date, September 10, 2003, and can attempt to retrieve, download, and finally execute a Trojan to steal credit card numbers and other personal account information. Sobig.f differs in that it appends garbage characters to the end of the infected file, making it harder for anti-virus products to recognize.

Email messages have the following characteristics:

  • The email message will have a Spoofed address in the "From".
  • Or the worm may use the address admin@internet.com as the sender.
  • The spoofed addresses and the "Send To" addresses are both taken from the files found on the computer.
  • The worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
  • The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.
  • W32.Sobig.F@mm Removal Tool: Symantec Security Response has developed a removal tool to clean the W32.Sobig.F@mm infections.
  • If you are printing this page for reference: this is the "url" of the link in the above bullet: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html

We strongly urge you to download and use the Removal Tool. It's a good idea to be prepared to print out the instructions from the Symantec site and read them thoroughly before you begin the process.

W32.Sobig.F@mm Removal Tool does the following:

  1. Terminates the W32.Sobig.F@mm viral processes.
  2. Detes the W32.Sobig.F@mm files.
  3. Deletes the dropped files.
  4. Deletes the registry values that the worm added.
Valid XHTML 1.0!