Win32:Sobig-B

is a mass-mailing worm (also known as Palyh) which pretends to come from the support@microsoft.com e-mail address.The worm sends itself to all e-mail addresses it finds in files with the following extensions: wab, dbx, htm, html, eml and txt. The e-mail message comes from the address support@microsoft.com and has one of the following subjects:
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Re: My details
Screensaver
Cool screensaver
Re: Movie
Re: My application

The message body contains the following string:
All information is in the attached file.

The attachment is an executable program about 50 KB long and it has a pif extension.

Win32:Sobig-B copies itself into the Windows folder under the name msccn32.exe and then sets the following registry values:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System Tray
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Tray so that it is executed every time you log on to your computer.

The worm is also able to spread itself across the local network by copying itself to the Startup folders on shared resources.

The worm deactivates itself on 31st May 2003.

Removal:
To remove this virus please use our free avast! Virus Cleaner.

avast! with VPS file dated on or after 19th May 2003 is able to detect this worm.