Home / malware Win32.Sobig.B@mm (Palyh)
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Sobig.B@mm (Palyh) is also known as Win32.Sobig.(A,B.
Explanation :
This mass mailer spreads itself via email, as an attatched file with one of the following names:
your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif
The email is fakely sent from support@microsoft.com, has "All information is in the attached file." in body, and the subject is one of the following:
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Re: My details
Screensaver
Cool screensaver
Re: Movie
Re: My application
Once executed the malware copyes itself in %windows% (i.e. C:WINNT) and gives control to that copy. It searches the whole hard disk for email addresses contained in files with the following extensions: wab, dbx, htm, html, eml, txt.
Starting with 31st of May 2003 the worm stops spreading but it still infects the machine where it is executed.
The virus has been renamed from Win32.Palyh.A@mm into Win32.SoBig.B@mm, as it belongs to the SoBig family.Last update 21 November 2011
