 | This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Sobig" – news ·newspapers ·books ·scholar ·JSTOR(August 2023) (Learn how and when to remove this message) |
| Sobig | |
|---|---|
| Type | Computer Worm,Trojan Horse |
| Origin | August 2003 |
| Authors | Ruslan Ibragimov (unconfirmed) |
| Technical details | |
| Platform | Microsoft Windows |
TheSobig Worm was a computer worm that infected millions ofInternet-connected,Microsoft Windows computers in August 2003.[1]
Although there were indications that tests of the worm were carried out as early as August 2002,Sobig.A was first found in the wild in January 2003.Sobig.B was released on May 18, 2003. It was first calledPalyh, but was later renamed to Sobig.B afteranti-virus experts discovered it was a new generation of Sobig.Sobig.C was released May 31 and fixed the timing bug in Sobig.B.Sobig.D came a couple of weeks later followed bySobig.E on June 25. On August 19,Sobig.F became known and set a record in sheer volume of e-mails.
The worm was most widespread in its "Sobig.F" variant.
As of 2018[update], Sobig is the second fastest computer worm to have ever entered the wild, being surpassed only byMydoom.
Sobig was not only acomputer worm in the sense that it replicates by itself, but also aTrojan horse in that it masquerades as something other thanmalware. The Sobig.F worm would appear as anelectronic mail with one of the following subjects:
It would contain the text: "See the attached file for details" or "Please see the attached file for details", as well as an attachment as one of the following names:
The Sobig viruses infected a host computer by way of the above-mentioned attachment. When this is started they will replicate by using their ownSMTP agent engine. E-mail addresses that will be targeted by the virus are gathered from files on the host computer. Thefile extensions that will be searched for e-mail addresses are:
The Sobig.F variant was programmed to contact 20IP addresses onUDP port 8998 on August 26, 2003 to install some program or update itself. It is unclear what this program was, but earlier versions of the virus had installed theWinGateproxy server software—a legitimate product—in a configuration allowing it to be used as abackdoor forspammers to distribute unsolicited e-mail.
The Sobig worm was written using the Microsoft Visual C++ compiler, and subsequently compressed using a data compression program calledtElock.
The Sobig.F worm deactivated itself on September 10, 2003. On November 5 the same year,Microsoft announced that they will pay $250,000 for information leading to the arrest of the creator of the Sobig worm. Ruslan Ibragimov is attributed to be the original creator of the worm, however this is not confirmed.[1]