Sobig (computer worm)
Encyclopedia
The Sobig Worm was a computer worm
that infected millions of Internet
-connected, Microsoft Windows
computers in August 2003.
Although there were indications that tests of the worm were carried out as early as August 2002, Sobig.A was first found in the wild in January 2003. Sobig.B was released on May 2003. It was first called Palyh, but was later renamed to Sobig.B after anti-virus experts discovered it was a new generation of Sobig. Sobig.C was released May 31 and fixed the timing bug in Sobig.B. Sobig.D came a couple of weeks later followed by Sobig.E on June 25. On August 19, Sobig.F became known and set a record in sheer volume of e-mails.
The worm was most widespread in its "Sobig.F" variant.
Sobig is a computer worm
in the sense that it replicates by itself, but also a Trojan horse
in that it masquerades as something other than malware
. The Sobig worm will appear as an electronic mail with one of the following subjects:
It will contain the text: "See the attached file for details" or "Please see the attached file for details." It also contains an attachment by one of the following names:
The Sobig.F variant was programmed to contact 20 IP addresses
on UDP
port 8998 on August 26, 2003 to install some program or update itself. It is unclear what this program was, but earlier versions of the virus had installed the WinGate
proxy server
software - a legitimate product - in a configuration allowing it to be used as a backdoor for spammers to distribute unsolicited e-mail.
The Sobig worm was written using the Microsoft Visual C++ compiler, and subsequently compressed using a data compression program called tElock.
The Sobig.F worm deactivated itself on September 10, 2003. On November 5 the same year, Microsoft
announced that they will pay $250,000 for information leading to the arrest of the creator of the Sobig worm. To date, the perpetrator has not been caught.
In February 2009, Microsoft also gave the same prize for the information of Conficker Worm's
author.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
that infected millions of Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
-connected, Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
computers in August 2003.
Although there were indications that tests of the worm were carried out as early as August 2002, Sobig.A was first found in the wild in January 2003. Sobig.B was released on May 2003. It was first called Palyh, but was later renamed to Sobig.B after anti-virus experts discovered it was a new generation of Sobig. Sobig.C was released May 31 and fixed the timing bug in Sobig.B. Sobig.D came a couple of weeks later followed by Sobig.E on June 25. On August 19, Sobig.F became known and set a record in sheer volume of e-mails.
The worm was most widespread in its "Sobig.F" variant.
Sobig is a computer worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
in the sense that it replicates by itself, but also a Trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
in that it masquerades as something other than malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
. The Sobig worm will appear as an electronic mail with one of the following subjects:
- Re: Approved
- Re: Details
- Re: Re: My details
- Re: Thank you!
- Re: That movie
- Re: Wicked screensaver
- Re: Your application
- Thank you!
- Your details
It will contain the text: "See the attached file for details" or "Please see the attached file for details." It also contains an attachment by one of the following names:
- application.pif
- details.pif
- document_9446.pif
- document_all.pif
- movie0045.pif
- thank_you.pif
- your_details.pif
- your_document.pif
- wicked_scr.scr
Technical details
The Sobig viruses infect a host computer by way of the above mentioned attachment. When this is started they will replicate by using their own SMTP agent engine. E-mail addresses that will be targeted by the virus are gathered from files on the host computer. The file extensions that will be searched for e-mail addresses are:- .dbx
- .eml
- .hlp
- .htm
- .html
- .mht
- .wab
- .txt
The Sobig.F variant was programmed to contact 20 IP addresses
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
on UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
port 8998 on August 26, 2003 to install some program or update itself. It is unclear what this program was, but earlier versions of the virus had installed the WinGate
WinGate (computing)
WinGate is an Integrated Gateway Management system for Microsoft Windows, providing firewall and NAT services, along with a number of integrated proxy servers and also email services ....
proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
software - a legitimate product - in a configuration allowing it to be used as a backdoor for spammers to distribute unsolicited e-mail.
The Sobig worm was written using the Microsoft Visual C++ compiler, and subsequently compressed using a data compression program called tElock.
The Sobig.F worm deactivated itself on September 10, 2003. On November 5 the same year, Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
announced that they will pay $250,000 for information leading to the arrest of the creator of the Sobig worm. To date, the perpetrator has not been caught.
In February 2009, Microsoft also gave the same prize for the information of Conficker Worm's
Conficker
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008...
author.