W32.Sobig.F@mm – Upgraded To Level 3 Threat
Symantec Security Response - W32.Sobig.F@mm - Level 3 threat
Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 3 (moderate) from a Category 2 threat. This worm is mostly affecting the consumer user. Symantec Security Response expects that this worm will continue to spread at a steady pace for the next 2-3 days. W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the files with the following extensions:
The worm utilises it's own SMTP engine to propagate and will attempt to create a copy of itself on accessible network shares. The email will have a Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may use the address firstname.lastname@example.org as the sender.
* Re: Details
* Re: Approved
* Re: Re: My details
* Re: Thank you!
* Re: That movie
* Re: Wicked screensaver
* Re: Your application
* Thank you!
* Your details
* See the attached file for details
* Please see the attached file for details.
NOTE: The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
Definitions for this worm were posted via LiveUpdate and Intelligent Updater on August 19th. Additional technical details and a removal tool for this worm may be found at - http://email@example.com
Current Submission numbers - 305 total, 42 corporate.
Because W32.Welchia.Worm and W32.Blaster.Worm use the same vulnerability, DeepSight cannot differentiate the infections at this time. (Total number of infected systems for both these worms is currently 630,000.) Symantec Security Response has received confirmation that large enterprise customers are still being impacted greatly by this worm internally. The clean-up period will be at least weeks to months before systems are repaired.