W32.Sobig.F@mm - updated statistics
Symantec Security Response - W32.Sobig.F@mm - updated statistics
Here's the latest updates on W32.Sobig.F@mm from the Symantec Security Response experts: Symantec Security Response has received a total of 6,031 submissions, of which, 654 are corporate submissions and 5,377 are consumer infections.
The worm deactivates on September 10, 2003.
The last day the worm will spread is September 9, 2003. However, the deactivation date applies only to the mass-mailing, network propagation, and e-mail address collection routines.
This means that a W32.Sobig.F@mm infected computer, will still attempt to download updates from the respective list of master servers during the associated trigger period (19:00 to 22:00 UTC), even after the infection deactivation date. Previous variants of Sobig exhibited similar behaviour.
Outbound udp traffic was observed on August 22 coming from systems infected with both Sobig.E and Sobig.F. However the target IP addresses were either not responding, taken offline or contained not executable content i.e. a link to a adult site.
W32.Sobig.F@mm uses a technique known as "email
spoofing," by which the worm randomly selects an address it
finds on an infected computer. For more information on
e-mail spoofing, see the "Technical Details" outlined in the
write up located at