Sobig.B Worm is Spreading at an Alarming Rate

Helsinki, Finland - May 19, 2003

Sobig.B (also known as Palyh or Mankx) was first seen on Sunday, 18th of May. Since then it has been spreading at an increasing pace. Largest infections seem to be in UK and USA.

The worm spreads via e-mail attachments and Windows network shares. The e-mails sent by the worm pretend to come from support@microsoft.com and they contain the message text "All information is in the attached file".

“It’s important to remember that Microsoft’s support department never sends out attachments”, explains Mikko Hypponen, Manager of Anti-Virus Research at F-Secure.

The worm collects e-mail addresses from various files on the infected computer and sends the infected e-mails with variable subjects, content, filenames and file sizes.

“The attachments sent by the worm are PIF executables – normal users really never send this types of files”, continues Hypponen. “Corporate companies should simply filter all PIF attachments at gateway level. Home users can use their Delete buttons instead”.

In addition to the e-mail spreading, Sobig.B will search for Windows machines within the infected Local Area Network and will try to copy itself to their Startup folder. This will fail unless users are sharing their Windows directories with write access – a thing that should never be done.

After spreading, Sobig.B will try to download additional code from a web pages located at Geocities.com and run it. “There’s been speculation that the Sobig.A virus was used by spammers to create anonymous gateways for sending spam e-mail messages”, says Hypponen. “Perhaps that was the intention with Sobig.B too”. F-Secure has been in touch with various security response organizations and has received confirmation from Geocities that the pages used by the worm have been closed.

The Sobig.B worm won’t spread for long. It has been programmed to stop spreading on the 31st of May, 2003 – roughly in two weeks time. It will still continue to send infected e-mails from machines that have their clock set wrong.

More information on the Sobig.B virus is available from the “Global Sobig.B Virus Information Center”, available online at http://www.f-secure.com/sobig/

The page includes technical descriptions, images and real-time statistics on the worm. F-Secure is also developing a free tool, which will clean Sobig.B – infected machines. The tool will be posted to this Information Center when it has been released.

F-Secure Anti-Virus can detect, stop and disinfect the Sobig.B worm. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com

About F-Secure

F-Secure Corporation is the leading provider of centrally managed security solutions for the mobile enterprise. The company's award-winning products include antivirus, file encryption and network security solutions for major platforms from desktops to servers and from laptops to handhelds. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since November 1999. The company is headquartered in Helsinki, Finland, with the North Ameri-can headquarters in San Jose, California, as well as offices in Germany, Sweden, Japan and the United Kingdom and regional offices in the USA. F-Secure is supported by a network of value added resellers and distributors in over 90 countries around the globe. Through licens-ing and distribution agreements, the company’s security applications are available for the products of the leading handheld equipment manufacturers, such as Nokia and HP.

For more information, please contact:

Mikko Hypponen, Manager, Anti-Virus Research
F-Secure Corporation
Tel. +358 9 2520 5513
Email: Mikko.Hypponen@F-Secure.com

Mikael Albrecht, Product Manager
F-Secure Corporation
Tel. +358 9 2520 5640
Email: Mikael.Albrecht@F-Secure.com

Media contact in the USA:
F-Secure Inc.
Heather Deem,
675 N. First Street, 5th Floor
San Jose, CA 95112
Tel +1 408 350 2178
Fax +1 408 938 6701
Email Heather.Deem@F-Secure.com