According to antivirus vendor F-Secure, "Sobig.E has the ability to download and run files on an infected system. A hacker can send an URL to the worm (through the port that the worm listens to) and the worm downloads and runs the file that the URL points to. This feature can allow to update the worm or to upload trojans or backdoors to an infected computer."
The backdoor routine found in the Sobig.E worm, coupled with the fact that it spreads as an unexpected ZIP file, could spell trouble for many. "Sobig-E is different from your typical worm as it spreads as a ZIP file. This means even if a company has a forward-thinking security policy of blocking executable code - the usual carrier for email worms - Sobig-E can sneak past and trick people into running its code," said Chris Wraight, technology consultant at Sophos, Inc. "The best defense against Sobig-E is to get into the habit of never running unsolicited code and keep your email gateway and desktop virus protection up-to-date."
The Sobig.E worm spoofs the sender name, thus the From line is no indication of the actual sender nor of the infected person from which the worm is being unknowingly sent. Sobig.E also includes its own SMTP engine, thus it works independently of the mail client and infected persons will not find copies of the worm email in their Sent folder. To locate addresses for both the From and To, Sobig searches files that have the following extensions: .DBX, .EML, .HTM, .HTML, .TXT and .WAB.
F-Secure warns that the worm enumerates network resources and drops copies of itself to the startup folders on remote computers, infecting them after the next reboot.
F-Secure has created a special removal tool to remove the active Sobig.E infection and all its traces. The tool is available from their ftp site, ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.zip. Instructions for the use of the tool can be found at ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.txt.
