Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelModerate threatDamageHighDistributionNot widespread
Common name:Sobig.B
Technical name:W32/Sobig.B
Threat level:Low
Alias:W32/Emesache; W32/Palyh,, W32.HLLM.Ccn, W32.HLLW.Manx@mm, W32/Sobig.B
Effects:  It downloads files from up to four websites and runs them.
Affected platforms:

Windows XP/2000/NT/ME/98/95

First detected on:May 18, 2003
Detection updated on:Oct. 25, 2007
Proactive protection:
Yes, using TruPrevent Technologies

Brief Description 


Sobig.B is a worm that every two hours tries to download and run four text files from up to four websites in the domain, which route the affected computer to a URL with pornographic content.

Sobig.B spreads via e-mail and across networks. The message carrying this worm is easy to identify, as it passes itself off as a message from Microsoft given that the sender is always and the message: All information is in the attached file.

Once it has infected a computer, Sobig.B looks for e-mail addresses in all the files it finds on the affected computer with the following extensions: TXT, EML, HTM, HTML, DBX and WAB. It then sends a copy of itself to all these addresses. However, it is important to highlight that it only sends itself out when the system date is prior to May 31.

Sobig.B can also copy itself to the Startup directories in the computers connected to the same network as the affected computer.

Visible Symptoms 


Sobig.B is easy to recognize when it spreads via e-mail, as the message always has the following characteristics:

  • Sender:
  • Message:
    All information is in the attached file.
  • Attachments:
    A file with a PIF extension.