What You Should Know About the Sobig Worm

Sobig.A and its variants spread through e-mail and network shares. This worm typically disguises e-mail messages with an @microsoft.com address so that it appears they are coming from Microsoft, a tactic known as spoofing. Many of the addresses are valid addresses that are being spoofed for malicious purposes.

The variants of the Sobig worm include Sobig.A, Sobig.B, Sobig.C, Sobig.D, Sobig.E, Sobig.F

Message characteristics vary for each variant of the Sobig virus. Technical information from each variant is available from antivirus vendors participating in the Microsoft Virus Information Alliance (VIA).

If you ever receive a questionable e-mail message that contains an attachment, do not open the attachment. If you cannot confirm with the sender that the message is valid and that the attachment is safe, delete the message immediately. If you receive a questionable message that purports to be from Microsoft, you should be aware that Microsoft never distributes software through e-mail.

How to Help Protect Against This Worm

To avoid infection, you should block harmful attachments at your Internet mail gateways. For this worm, block all attachments with the .pif extension. (The extension may be truncated to .pi in some instances.) Additionally, you should use the features in the latest versions of Outlook and Outlook Express to block harmful attachments.

For Outlook 2000 and Outlook XP

Outlook 2000 Service Pack 3 (SP3) and later and Outlook XP SP1 include the most recent updates to improve the security in Outlook and other Microsoft Office System programs. This includes a feature that blocks potentially harmful attachment types. If you are running either of these versions, they will by default block the attachment, and you will be unable to open it.

• Get the latest Office product updates

By default, Outlook 2000 prior to Service Release 1 (SR1) and Outlook 98 did not include this feature, but it can be obtained by installing the Outlook E-mail Security Update.

• Get the Outlook E-mail Security Update

For Outlook 2002

• Learn which attachment types are blocked in Outlook 2002

For Outlook Express 6

Outlook Express 6 can be configured to block potentially damaging attachments.

• Learn about virus protection features in Outlook Express 6

For Earlier Versions of Outlook Express

Earlier versions of Outlook Express contain no attachment-blocking features. Users of these products are strongly encouraged to upgrade to the latest version and to use extreme caution when opening unsolicited e-mail messages with attachments.

For Web-Based E-mail

If you use Web-based e-mail, you should install a third-party firewall to help protect your computer from this worm.

What to Do If You Think Your Computer Is Infected

1. If you think your computer is infected, first try going to your antivirus software vendor's Web site to get the latest updates. You might be able to update your virus definitions to detect and remove the virus. Going forward, be sure to keep your virus definitions current to avoid infection.
2. If your computer has been infected and you need technical assistance, please contact Microsoft Product Support Services or your antivirus vendor for assistance removing it.
   • For Microsoft Product Support Services within the United States and Canada, call toll-free (866) PCSAFETY (727-2338).
   • For Microsoft Product Support Services outside the United States and Canada, visit the Product Support Services Web page.

Get More Technical Details

Get additional details on this worm from antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):

• McAfee
• Trend Micro
• Symantec
• Computer Associates

What the Severity Ratings Mean

Critical. There is a vulnerability related to a Microsoft product or there is no patch available; there are two or more vectors of infection; there is the possibility of a new vector of infection; the distribution potential is high; there is the potential for unique data destruction; and there is a significant disruption of service.

Moderate. There is a potential vulnerability related to a Microsoft product; there are two or less vectors of infection; there is the potential for a new vector of infection; the distribution potential is medium to high; there is no unique data destruction; and there is no significant disruption of service.

Low. There is no vulnerability related to a Microsoft product; there is only one vector of infection; there is no new vector of infection; the distribution potential is low; there is no unique data destruction; and there is no significant disruption of service.