Sobig a fool as that?

It never ends. Automated social engineering by e-mail-enabled worms is a curse that is approaching unsolicited e-mail in its irritation quotient. These worms, like human spammers, generate misleading subject lines to trick victims into opening messages - and in particular, opening the attachments that contain malicious code and thus executing the code.

In the last few days, I've received dozens of copies of two particular variants of W32.Sobig.E@mm worm-bearing messages. One type includes the subject line "Re: Application" and the other is "Re: Movie." It happens that I run a graduate program that is currently receiving lots of correspondence about applications in our pipeline and that one of my hobbies is movies, so you can understand my irritation with these bogus messages. Other topics reported by antivirus companies in versions of the Sobig worm-bearing e-mail messages include:

004448554.pif
Application.pif
Applications.pif
movie.pif
new document.pif
Re: document.pif
Re: Documents
Re: Movies
Re: Re: Application ref 003644
Re: Re: Document
Re: ScRe:ensaver
Re: Submitted
Referer.pif
Screensaver.scr
submited.pif
Your application

The text in the messages I have received has uniformly been "Please see the attached zip file for details." However, other messages have been noted "in the wild."

The attachment may be called:

Application.zip (contains Application.pif)
Document.zip (contains Document.pif)
Movie.zip (contains Movie.pif)
Screensaver.zip (contains Sky.world.scr)
Your_details.zip (contains Details.pif)

However, the files I have received terminated in the double suffix ".zip.htm" which is a giveaway that something funny is going on. Other second-suffixes for the worm-infected attachments include:

.dbx
.eml
.html
.txt
.wab

So you might get, for example, "Application.zip.txt" or "Movie.zip.html" and so on.

Once opened, the active content of the ZIP file can infect the Windows operating system and mail itself to addresses found in various e-mail address books using forged e-mail headers.

The current version has a termination date of Bastille Day 2003 (July 14); however, one can be sure that some creepy wannabe will alter the code to extend the lifetime of this nuisance.

So be sure all your antivirus products are dutifully updating themselves automatically; tell your users to be on guard against these wretched messages; and warn them not to be, ah, "sobig" a fool as to actually open any attachment from a stranger or any unexpected attachment supposedly from a friend.

Join the newsletter!

Error: Please check your email address.
Show Comments

Market Place