Antivirus Software

  1. Home
  2. Computing & Technology
  3. Antivirus Software
SoBig, So Fast
W32.Sobig.worm makes strong introduction
 Related Resources
• Virus Encyclopedia
• Glossary of terms
 

If you get an email from big@boss.com, it's likely the SoBig worm. According to antivirus developer F-Secure, Sobig always sends itself with the big@boss.com address. The soBig worm began spreading rapidly after it's initial discovery on January 9, 2003. The subject line of the email carrying the SoBig worm will be one of the following:

Re: Here is that sample
Re: Document
Re: Sample
Re: Movies

The message body will read either 'Attached file:' or it will be blank. The email carries an attachment with one of the following names:

Sample.pif
Untitled1.pif
Document003.pif
Movie_0074.mpeg.pif

An example of the email message appears below:

SoBig is also a network worm, copying itself to the Startup folder on discovered network shares.

Removing the worm

  1. Search the Windows\System directory and delete the file 'winmgm32.exe'.
  2. Edit the registry and remove the value 'WindowsMGM' from the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ key.
  3. On network drives (i.e. not the original source of infection), also search and delete the 'winmgm32.exe' file from either of the following locations (depending on your operating system):
    • 'Windows\All Users\Start Menu\Programs\StartUp'; or
    • 'Documents and Settings\All Users\Start Menu\Programs\Startup'

SoBig began spreading shortly after the Lirva worm gained prominence. Lirva disables antivirus and security software, prompting Ken Dunham, Senior Intelligence Analyst for iDEFENSE Inc., to caution, "SoBig is spreading in the wild during a time where many computers may not have anti-virus and security-related software installed correctly. Many worms and other malicious codes today are successfully disabling anti-virus and security-related software. This has resulted in an increasingly large pool of computers on which malicious code easily spread without detection."

F-Secure promptly added detection for the worm on January 9, 2002. Other antivirus software updated January 10, 2002 or later should be able to effectively detect and remove the worm. If you do not currently have antivirus software, you may get a free online scan, compliments of Trend Micro's Housecall. You can also use products such as MailDefense to stop email worms without the need for updates.

Update: On May 18, 2003, a new variant of SoBig was discovered, this time sending itself as if "from" support@microsoft.com instead of big@boss.com. Details on this variant of Sobig can be found here.

Subscribe to the Newsletter
Name
 Email

Explore Antivirus Software

More from About.com

Browse All About.com

Antivirus Software

  1. Home
  2. Computing & Technology
  3. Antivirus Software

©2008 About.com, a part of The New York Times Company.

All rights reserved.