W32/Sobig.f@mm is a new version of the Sobig mass-mailing worm.
It spreads by using it’s own SMTP (mail) engine to send itself to email addresses that it finds within files on the infected system.
The emails may have various subjects, like:
Re: Approved ; Re: Thank you! ; Re: Re: My details ; Re: That movie ; Thank you! ; Re: Details ; Re: Your application ; Re: Wicked screensaver
Attached to the email is a zipped .pif file that contains the virus code.
Once the virus executes it copies itself to the windows folder of the system, and creates a registry key so that it loads on start-up.
It may also attempt to spread via open network shares.
It then searches the system for files that may contain email addresses, and send itself out to those addresses.
The FROM line of the email is usually spoofed, which means that the virus uses one of the addresses found on your system to make it look like the infected email is coming from another person. This makes it difficult to know who actually sent you the infected email.
All versions of Windows are affected by this worm.
Symantec states in their Security Response to this worm that the author of the worm has also used it to download and run files on the infected system so that it can be used to relay spam.
The Sobig.F worm deactivates itself after the 9th of September 2003.