You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Sobig.F
Threat LevelDamageDistribution

At a glance Tech details | Solution


Common name:	Sobig.F
Technical name:	W32/Sobig.F
Threat level:	Low
Alias:	W32/Sobig.F@mm, Win32.HLLM.Reteras, Win32/Sobig.F.Worm, I-Worm.Sobig.f
Type:	Worm
Effects:	It opens ports 995 through 999 and waits for orders. It can download files from the Internet.
Affected platforms:	Windows XP/2000/NT/ME/98/95
First detected on:	Aug. 19, 2003
Detection updated on:	March 20, 2006
Statistics	No
Proactive protection:	Yes, using TruPrevent Technologies
Repair utility:	Panda QuickRemover

Brief Description

Sobig.F is a worm that spreads via e-mail and across shared network drives.

When Sobig.F spreads via e-mail, it reaches the computer in a message of variable characteristics and an attached file that almost always has a PIF extension. When it spreads across shared network drives, Sobig.F attempts to copy itself to those drives where it has gained access to.

Sobig.F sends UDP packets to the port 8998 of certain IP addresses, which answer with a web page address that the worm will access to download a file. It then opens ports 995 through 999 on the affected computer, and waits for control commands to be received.

Visible Symptoms

Sobig.F is easy to recognize when it spreads via e-mail, as it reaches the computer in a message with the following characteristics:

Subject:
It can be one of the following:
Re: Thank you
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Attachments:
It can be one of the following:
YOUR_DOCUMENT.PIF
DOCUMENT_ALL.PIF
THANK_YOU.PIF
YOUR_DETAILS.PIF
DETAILS.PIF
DOCUMENT_9446.PIF
APPLICATION.PIF
WICKED_SCR.SCR
MOVIE0045.PIF

Panda Security. New Lineup 2013. Renew now

Antivirus Solutions

Technical Support