New Variant Of Sobig Virus

Getting a lot of bounces in my email. Seems to be a workstation at Erie Boces 1 that has an infected pc that is very active right now 15 bounces with my email address (must be in the address book of that workstation)

Anyone getting bounces from virus scanners look for this in the headers
Received: from []

or this in the headers
Received: from [] (helo=HS_BERNARD)

if either appears forward to [email][/email] which is tech support there


Warning: dangerous new variant of “Sobig” family spreading

On 18th August 2003, MessageLabs the email security company intercepted several copies of a mass-mailing virus which were identified as W32/Sobig.F-mm. The initial copies all originated from the United States.

Name: W32/Sobig.F-mm
Number of copies intercepted so far: 1,124 (increasing rapidly)
Time & Date first Captured: 18 Aug 2003 21:04 GMT
Origin of first intercepted copy: United States
Most active country: United States (95%), Denmark (3%), Norway (1%)

Initial analysis would suggest that Sobig.F is a mass-emailing virus that is spreading very vigorously. Sobig.F appears to be polymorphic in nature and the email from: address is also spoofed and may not indicate the true identity of the sender. In earlier versions of the Sobig family, the file extension has sometimes been truncated. MessageLabs have not yet observed this with the Sobig.F strain.

The email may also comprise the following characteristics:
Subject: Re: Details
Please see the attached file for details.

Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, document_9446.pif

In an attempt to bypass local antivirus security, the file size varies on each generation reminiscent of Yaha by appending rubbish to the end of the file, but is on average around 74kb in size. The initial copies are packed using TELock, but there may be other variants in the wild packed using different packers.

Now detected by Symantec: ┬╗[?]

2 Responses to New Variant Of Sobig Virus

  • Ken of ALLWNY says:

    This version of the virus also Sends email to addresses collected from files with the following extensions: .wab, .dbx, .htm, .html, .eml, .txt. Which are found in the temp folders offline web pages and the IE/browser cashe.

  • Silent Bob says:

    Some additional virus info:
    Some of our clients are getting bounced messages with something similar to the following as part of the message:

    > This message has been rejected because it has
    > a potentially executable attachment “movie0045.pif”
    > This form of attachment has been used by
    > recent viruses or other malware.
    > If you meant to send this file then please
    > package it up as a zip file and resend it.

    This is a result of the recent re-explosion of the W32/Sobig.F-mm email worm. These messages are safe to delete. DONOT! click on the attachment file!

    The short version is, someone who is infected has 'your' address on file. 'Your' here being whoever is getting the bounces. A careful analysis of the headers will determine the true source of the emails. Our server is setup to reject certain file types. .exe .com and .pif are 3 of those types rejected. We also strongly recommend that everyone make sure that their anti virus software is up to date. If your own system is clean, and your anti-virus software is up to date and properly running, you should be safe. Please check with your AVS vendor to verify you are up to date.

    More info:
    The sender appears to be someone from a recognized domain name, such as, or The subject line typically says “Re: Details,” “Resume” or “Thank you.”

    Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, and document_9446.pif.

    The virus grabs e-mail addresses from several different locations on a computer, including the Windows address book and Internet cache, and sends e-mails to each one. The virus also forges the source of the message using a randomly selected e-mail address so that the infected message appears to come from someone else.

    This message at Slashdot has more info:…tid=128&tid=187

    See also here:

    For those interested in digging further, please see here for information on your email client and how to see all the headers:

Leave a Reply

Your email address will not be published. Required fields are marked *