Skip Over Navigation Links
Center for Information TechnologyAntivirus
Antivirus Home Page
Contact Us
Questions or Comments
Disclaimers

Software
Current client downloads:
VScan Engine/Dat (SuperDat) -5.2.00/4.0.5378
VirusScan Enterprise 8.5i (with Patch 6) - Windows NT/2000/XP/2003
VirusScan Enterprise 7.1 - Windows NT/2000/XP/2003
Virex (OS X) Engine/Def - 7.2(v1.1)/080903
Virex (OS 9.x) Engine/Def - 6.2/071001
Linux & Solaris Engine/Dat - 5.2.00/4.0.5196
Symantec Antivirus - 10.1.7.7000
Symantec Antivirus - 10.2
Clean Boot 1.0
Stinger v3.8.0 virus removal tool (Updated 09/10/07)
Current server downloads:
VirusScan Enterprise 8.5
VirusScan Enterprise 7.1
NetShield NetWare - 4.6.2
NetShield NetWare - 4.6.3
NetShield NetWare Engine Update - 4.4.00
ePO agent for NetWare
ScanMail eManager - 3.0

Information
ePO 3.0/VirusScan 7.0 Presentation
Virex 7.x Installation Instructions
VirusScan FAQs
VirusScan Instructions
Additional Resources

Archives
List of Viruses

Virus Alerts

W32/SoBig.E Last Updated 06/25/03 5:30pm

The w32/SoBig.E email virus that infects Windows machines and is spreading in the wild. w32/SoBig.E is a mass mailing worm that also spreads through open network shares. The worm spoofs the address of the sender with a random address and uses its own SMTP engine to send mail from the infected client.

The subject of the email may be one of the following:

  • Application Ref: 456003
  • Your application
  • Re: Re: Document
  • Re: Re: Application ref. 003644
  • Re: Documents
  • Re: Screensaver
  • Re: Submited (Ref: 003746)
  • Re: Movies
  • Re: Movie
  • Re: Application

The attachment name is one of the following:

  • Movie.zip and within the .zip archive is Movie.pif
  • screensaver.zip and within the .zip archive is sky_world.scr
  • document.zip and within the .zip archive is document.pif
  • application.zip and within the .zip archive is application.pif
  • your_details.zip and within the .zip archive is details.pif

The body of the message is: Please see the attached zip file for details

When the attachment is run, the following files are dropped in the default Windows (typically C:\Windows, C:\WINNT) directory:

  • "winssk32.exe" (approx 85kB) (a copy of itself)
  • "msrrf.dat" (configuration file)

w32/SoBig.E creates the following registry keys to load itself at system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "SSK Service" = %WinDir%\winssk32.exe

On Windows NT4/2000/XP systems w32/SoBig.E creates a service named winssk32.exe.

The current 4273 Dat/SuperDat released by NAI will detect and remove w32/SoBig.E.

The definitions released 6-25-2003 and later by Symantec detect and remove w32/SoBig.E. The definitions are available through the LiveUpdate feature of Norton Antivirus.

For more information see:

http://vil.nai.com/vil/content/v_100429.htm from NAI regarding w32/SoBig.E.

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html from Symantec regarding w32/SoBig.E.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.

Contact NIH Help Desk for assistance:
866-319-4357 (toll free), 301-496-4357 (6-HELP) (local), 301-496-8294 (TDD)
http://ithelpdesk.nih.gov/support
Register for iForgotMyPassWord

National Institutes of HealthCenter for Information Technology
National Institutes of Health
Bethesda, Maryland 20892

Questions or Comments | Disclaimers | Privacy Policy

 Department of Health and Human ServicesHealth and Human Services
Washington, D.C. 20201
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -