• United States

Sobig a fool as that?

Jul 08, 20032 mins

* Beware the Sobig worm

It never ends. Automated social engineering by e-mail-enabled worms is a curse that is approaching unsolicited e-mail in its irritation quotient. These worms, like human spammers, generate misleading subject lines to trick victims into opening messages – and in particular, opening the attachments that contain malicious code and thus executing the code.

In the last few days, I’ve received dozens of copies of two particular variants of W32.Sobig.E@mm worm-bearing messages. One type includes the subject line “Re: Application” and the other is “Re: Movie.” It happens that I run a graduate program that is currently receiving lots of correspondence about applications in our pipeline and that one of my hobbies is movies, so you can understand my irritation with these bogus messages. Other topics reported by antivirus companies in versions of the Sobig worm-bearing e-mail messages include:





new document.pif

Re: document.pif

Re: Documents

Re: Movies

Re: Re: Application ref 003644

Re: Re: Document

Re: ScRe:ensaver

Re: Submitted




Your application

The text in the messages I have received has uniformly been “Please see the attached zip file for details.” However, other messages have been noted “in the wild.”

The attachment may be called: (contains Application.pif) (contains Document.pif) (contains Movie.pif) (contains (contains Details.pif)

However, the files I have received terminated in the double suffix “.zip.htm” which is a giveaway that something funny is going on. Other second-suffixes for the worm-infected attachments include:






So you might get, for example, “” or “” and so on.

Once opened, the active content of the ZIP file can infect the Windows operating system and mail itself to addresses found in various e-mail address books using forged e-mail headers.

The current version has a termination date of Bastille Day 2003 (July 14); however, one can be sure that some creepy wannabe will alter the code to extend the lifetime of this nuisance.

So be sure all your antivirus products are dutifully updating themselves automatically; tell your users to be on guard against these wretched messages; and warn them not to be, ah, “sobig” a fool as to actually open any attachment from a stranger or any unexpected attachment supposedly from a friend.