Type: Internet Worm
Size: 82195 bytes
Platform: Win 95/98/ME/NT/2000/XP
SoBig.E is a new variant of the I-Worm (Internet Worm) SoBig. this worm spread itself throug email messages, retrieving address from Outlook's contacts or html files.
The worm sends email messages with this sender: firstname.lastname@example.org
or with other senders.
Messages could have the following subjects:
Re: Movie, Re: Movies, Re: Submited (Ref: 003746), Re: Screensaver, Re: Documents, Re: Re: Application ref. 003644, Re: Re: Document, Your application.
And could have the following attachments:
details.pif, application.zip, application.pif, document.zip, document.pif, screensaver.zip, sky_world.scr, Movie.zip, Movie.pif.
.ZIP files contain executables infected by the SoBig. If you execute an infected file, SoBig.E creates winssk32.exe inside Windows folder, it then edits the registry to execute that file at every startup.
SoBig.E could spread itself through LAN, copying itself on the StartUp Windows' folder.