Aliases: I-Worm.Sobig.a, W32/Sobig.a@MM, Win32.HLLM.Reteras, W32/Sobig-A, Win32/Sobig.A@mm,
Variants: WORM_SOBIG.A, Worm/Sobig.A, W32/Sobig.A@mm, Win32:Sobig, I-Worm/Sobig.A,

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 17 Jan 2003
Damage: Low

Characteristics: When a file is identified as infected w/ W32.Sobig.A@mm.enc, it shows that it’s an MIME encoded file with the W32.Sobig.A@mm worm.

More details about W32.Sobig.A@mm

Some reports say that the W32.Sobig.A@mm may contaminate a computer when the user checks an infected email attachments or email from “big@boss.com”. These email attachments usually comprise files such as document003.pif, movie_0074.mpeg.pif, untitled 1.pif and sample.pif, thank_you.pif, application.pif, wicked_scr.scr, and your_document.pif. While setting up, this worm can make a duplicate of itself in the directory of Windows under the “winmgm32.exe” filename. Then, it will register this file in the automatic run key of the system registry. The worm virus then makes a “WindowsMGM” registry key so that it is opened each time the Windows is started. It is achievable that the W32.Sobig.A_mm program can multiply vial local network and vial emails. This worm uses the SMTP server to send contaminated messages.

Normally, worms are made only to spread. However, there are reports that this worm sets up and downloads a Trojan backdoor. You can do this by downloading a text file that has a link to the “PE file”. It then gets the file under the “dwn.dat” file in the directory of Windows and opens it. It is thought that the function of this worm makes additional troubles for the user. Since backdoor Trojans could open the contaminated computer to external and remote control through the Local Area Network or Internet. The computer could then be controlled to make actions not authorized and wanted by the user.