Cornell Home Page Computing at Cornell Security

Windows "W32.Sobig.F@mm" worm reported on campus (08/19/03)

W32.Sobig.F@mm, a Windows virus, has been reported at Cornell. W32.Sobig.F@mm infects computers running Windows 95, Windows 98, Windows Me, Windows 2000, Windows NT, or Windows XP.

Cornell's PureMessage mail filtering software has been updated to detect and block this virus on Cornell's new mail servers (postoffice6, postoffice8, or postoffice9). This worm is devious, however, and there have been reports of some infected messages slipping past the filters. It is vital to update your virus protection without delay.

What to watch for:

W32.Sobig.F@mm is contained in an e-mail attachment. The attachment's name varies but is typically a generic name like "your_document.pif" with a similarly generic subject like "Re: Details." The message text reads "See (or Please see) the attached file for details." The "From:" address may be "admin@internet.com" or another fake address, but will usually not be the real sender.

Do not open any suspect e-mail attachment. (If you use a mail program other than Eudora, especially MS Outlook, the worm may be able to launch itself and infect other systems even if you don't open the attachment.) If launched, this worm sets itself up to run every time you start Windows, sends copies of itself to all the e-mail addresses it finds in certain types of files and to network shares where you have write access, and can download and run programs without your knowledge. According to Symantec's advisory, "The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers."

For complete details, see Symantec's W32.Sobig.F@mm web page.

This worm will stop spreading itself on Sept. 9 and deactivate itself on Sept. 10, 2003.

How to avoid it:

CIT urges all Windows users to update their Symantec AntiVirus software and perform a complete system scan. W32.Sobig.F@mm is detected by Symantec AntiVirus software that has been updated to the 8/19/2003 rev.3 virus definition file, or a newer file.

To update, run Symantec (Norton) AntiVirus and choose LiveUpdate. Or download the file via Bear Access (Virus Protection folder) or Symantec's download page or Cornell's local copy of the latest update.

Also see CIT's tips for making Eudora more resistant to viruses/worms.

Cornell University has signed a site license with Symantec to provide Symantec (Norton) AntiVirus (NAV) to the entire campus community. The license allows NAV to be used on all university-owned computers, home computers of staff and faculty, and computers owned by registered students.

How to get rid of it:

If you suspect your computer has been infected, download the Sobig.F removal tool. Also, you can visit Symantec's W32.Sobig.F@mm web page for instructions on how to remove the virus. If you need additional assistance, please contact the CIT Contact Center (HelpDesk).

-------------------------

If you need help, please ask the CIT Contact Center (HelpDesk) by calling 255-8990, by sending e-mail to helpdesk@cornell.edu, or by visiting 119 CCC. The HelpDesk is open Monday-Friday from 8:00 a.m. to 5:00 p.m., with extended phone hours Monday-Thursday from 5:00 p.m. to 8:00 p.m. during the academic year. If the HelpDesk is closed and your problem is urgent, contact the Network Operations Center at 255-9900.


Computing at Cornell Homepage CUinfo CIT Contact List Send Us Feedback

Last modified: June 04, 2007