Welcome to the Virus Encyclopedia of Panda Security.
|Alias:||W32/Emesache; W32/Palyh,, W32.HLLM.Ccn, W32.HLLW.Manx@mm, W32/Sobig.B|
|Effects: ||It downloads files from up to four websites and runs them.|
|First detected on:||May 18, 2003|
|Detection updated on:||Oct. 25, 2007|
|Yes, using TruPrevent Technologies
Sobig.B is a worm that every two hours tries to download and run four text files from up to four websites in the domain geocities.com, which route the affected computer to a URL with pornographic content.
Sobig.B spreads via e-mail and across networks. The message carrying this worm is easy to identify, as it passes itself off as a message from Microsoft given that the sender is always firstname.lastname@example.org and the message: All information is in the attached file.
Once it has infected a computer, Sobig.B looks for e-mail addresses in all the files it finds on the affected computer with the following extensions: TXT, EML, HTM, HTML, DBX and WAB. It then sends a copy of itself to all these addresses. However, it is important to highlight that it only sends itself out when the system date is prior to May 31.
Sobig.B can also copy itself to the Startup directories in the computers connected to the same network as the affected computer.
Sobig.B is easy to recognize when it spreads via e-mail, as the message always has the following characteristics:
All information is in the attached file.
A file with a PIF extension.