Related Resources • Virus Encyclopedia • Glossary of terms

On Saturday, May 31st, Eset announced the discovery of yet another variant of the Win32/Sobig worm. Like its predecessor, Sobig.b, Sobig.c uses a faked from address to fool users into opening the attachment. Pretending to be from bill@microsoft.com (or a variety of others), Win32/Sobig.c also employs certain subject lines that give the impression of being related to a job application. The new variant of Sobig was discovered on the same day Sobig.b was hard coded to cease spreading. According to Eset, Sobig.c is similarly hard coded. "Based on our analysis, the routines of Win32/Sobig.c will remain active till June 7th," commented Richard Marko, Eset's head of strategic development division.

Miro Trnka, CTO of Eset Software, warns, "When Win32/Sobig.b first began spreading, many were fooled into opening the attachment because the message appeared to be from support@microsoft.com. Of course, this was just a ruse employed by the virus and those who were tricked into opening the attachment became infected. With Win32/Sobig.c taking an even more personal approach by pretending to be from bill@microsoft.com, and with a subject line that might make it seem to be regarding a job application, users are urged to be even more cautious. Legitimate emails from Microsoft are unlikely to arrive with an attachment and any that do should be treated with suspicion and scanned with updated antivirus software before opening."

Win32/Sobig.c is a mass-mailing email worm. The email composed by the worm has the following characteristics:

Subject:
Re: Application
Re: Your application Approved
Re: Approved
Re: 45443-343556
Re: Submited (004756-3463)
Re: Movie
Re: Screensaver

Message body:
Please see the attached file

Attachment:
document.pif
application.pif
approved.pif
documents.pif
45443.pif
submited.pif
movie.pif
screensaver.scr