Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0


Threat LevelModerate threatDamageHighDistributionNot widespread
Common name:Sobig.F
Technical name:W32/Sobig.F
Threat level:Low
Alias:W32/Sobig.F@mm, Win32.HLLM.Reteras, Win32/Sobig.F.Worm, I-Worm.Sobig.f
Effects:  It opens ports 995 through 999 and waits for orders. It can download files from the Internet.

Affected platforms:

Windows XP/2000/NT/ME/98/95

First detected on:Aug. 19, 2003
Detection updated on:March 20, 2006
Proactive protection:
Yes, using TruPrevent Technologies
Repair utility:Panda QuickRemover

Brief Description 


Sobig.F is a worm that spreads via e-mail and across shared network drives.

When Sobig.F spreads via e-mail, it reaches the computer in a message of variable characteristics and an attached file that almost always has a PIF extension. When it spreads across shared network drives, Sobig.F attempts to copy itself to those drives where it has gained access to.

Sobig.F sends UDP packets to the port 8998 of certain IP addresses, which answer with a web page address that the worm will access to download a file. It then opens ports 995 through 999 on the affected computer, and waits for control commands to be received.

Visible Symptoms 


Sobig.F is easy to recognize when it spreads via e-mail, as it reaches the computer in a message with the following characteristics:

  • Subject:
    It can be one of the following:
    Re: Thank you
    Thank you!
    Your details
    Re: Details
    Re: Re: My details
    Re: Approved
    Re: Your application
    Re: Wicked screensaver
    Re: That movie
  • Attachments:
    It can be one of the following: