ALERT:Reteras Redux: The Worm Returns



Type: Worm
Aliases: W32.Sobig.F@mm, WORM_SOBIG.F, I-Worm.Sobig.f, W32/Sobig.F-mm
Vulnerable Operating Systems: Windows 95/98/ME/NT/2000/XP.
How It Infects: Through infected email attachments or shared network folders.

What It Does:
- Scours files on your hard drive for email addresses, then sends infected email to the addresses it finds.
- Spoofs (mimics) the From: email address to make people think the message is from you or someone they might know. The email address will either be one found on your computer or
- Modifies your computer's registry so that it loads itself whenever Windows starts.
- Places infected files onto your computer.
- Infects networked computers through their shared folders.
- Attempts to contact a list of web servers and access an address where it can download files to your computer, files such as spyware, trojans, or newer versions of itself.
- Reportedly, Win32.HLLM.Reteras may use your computer as a relay server for spam.
- Stops its mass mailing on September 10, 2003, although the computer is still infected and needs to have the worm removed completely. If this worm follows its previous versions, it is expected to make some changes to the subject lines or attachment names, and change the registry and file entries it makes. We will continue to update Stop-Sign to remove this worm.

The email subject line may include any of the following:
Re: Approved
Re: Details
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Your application
Re: Wicked screensaver
Thank you!
Your details

The body of the email message is either "See the attached file for details" or "Please see the attached file for details."

The email attachment is randomly selected from:

Files with the following file extensions are searched for email addresses used to propagate the worm: