May 20, 2003 Information Security Advisory

Another Internet worm was discovered on Monday and has been actively replicating itself.

W32.Sobig.B@mm   
Discovered on: May 18, 2003  
W32.Sobig.B@mm is a mass-mailing worm that sends itself to all the email addresses available 
on the infected computer's email address book. It is also known as the W32.HLLW.Mankx@mm [Norton AV], 
W32/Palyh@MM [McAfee], W32/Palyh-A [Sophos], I-Worm.Palyh [KAV], WORM_PALYH.A [Trend], 
Win32.Palyh.A [CA] 

The infected email message has the following characteristics:

From: support@microsoft.com

Subject: The subject line will be one of the following:
Your details 
Approved (Ref: 38446-263) 
Re: Approved (Ref: 3394-65467) 
Your password 
Re: My details 
Screensaver 
Cool screensaver 
Re: Movie 
Re: My application

Message Body: All information is in the attached file.

Attachment: The attachment name will be one of the following: 
your_details.pif 
ref-394755.pif 
approved.pif 
password.pif 
doc_details.pif 
screen_temp.pif 
screen_doc.pif 
movie28.pif 
application.pif

Recommendation:
Workingarts recommends that you be particularly careful with email in the next few days as 
you may receive file attachments that are commonly used to spread viruses, such as .vbs, 
.bat, .exe, .pif and .scr files. to help propagate this worm.
Be sure to update your virus signatures database and perform a full system scan.

Frederic Martin
www.workingarts.com

PS: If you want to be removed from this computer security advisory mailinglist, please 
reply with "remove" in the subject of the message.