Sobig.C was first seen on Sunday, 1st of June. The very same date that was set to be the end of Sobig.B life. Since then it has been spreading at an increasing pace.
The worm spreads via e-mail attachments and Windows network shares. The e-mails sent by the worm pretend to come from addresses collected from the users' machines and they contain the message text "Please see the attached file.".
In addition to the e-mail spreading, Sobig.C will search for Windows machines within the infected Local Area Network and will try to copy itself to their Startup folder. This will fail unless users are sharing their Windows directories with write access – a thing that should never be done.
After spreading, Sobig.C will try to download additional code from a web pages located at Geocities.com and run it. F-Secure has been in touch with various security response organizations and has received confirmation from Geocities that the pages used by the worm have been closed.
The Sobig.C worm won’t spread for long. It has been programmed to stop spreading on the 8th of June, 2003. It will still continue to send infected e-mails from machines that have their clock set wrong.
SPREADING BY E-MAIL
The worm collects e-mail addresses from various files on the infected computer and sends the infected e-mails with variable subjects, content, filenames and file sizes.
To send infected messages the worm makes a direct connection to the default SMTP server. The worm collects e-mail addresses from .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives.
The worm spreads via e-mail attachments and Windows network shares. The e-mails sent by the worm pretend to come from addresses collected from the users' machines and they contain the message text "Please see the attached file.".
In addition to the e-mail spreading, Sobig.C will search for Windows machines within the infected Local Area Network and will try to copy itself to their Startup folder. This will fail unless users are sharing their Windows directories with write access – a thing that should never be done.
After spreading, Sobig.C will try to download additional code from a web pages located at Geocities.com and run it. F-Secure has been in touch with various security response organizations and has received confirmation from Geocities that the pages used by the worm have been closed.
The Sobig.C worm won’t spread for long. It has been programmed to stop spreading on the 8th of June, 2003. It will still continue to send infected e-mails from machines that have their clock set wrong.
SPREADING BY E-MAIL
The worm collects e-mail addresses from various files on the infected computer and sends the infected e-mails with variable subjects, content, filenames and file sizes.
To send infected messages the worm makes a direct connection to the default SMTP server. The worm collects e-mail addresses from .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives.