Editing Sobig (section)

==Technical details==

The Sobig viruses infected a host computer by way of the above-mentioned attachment. When this is started they will replicate by using their own [[SMTP]] agent engine. E-mail addresses that will be targeted by the virus are gathered from files on the host computer. The [[file extension]]s that will be searched for e-mail addresses are:

* .dbx
* .eml
* .hlp
* .htm
* .html
* .mht
* .wab
* .txt

The Sobig.F variant was programmed to contact 20 [[Internet Protocol|IP addresses]] on [[User Datagram Protocol|UDP]] port 8998 on August 26, 2003 to install some program or update itself. It is unclear what this program was, but earlier versions of the virus had installed the [[WinGate]] [[proxy server]] software—a legitimate product—in a configuration allowing it to be used as a [[Backdoor (computing)|backdoor]] for [[spamming|spammers]] to distribute unsolicited e-mail.

The Sobig worm was written using the Microsoft Visual C++ compiler, and subsequently compressed using a data compression program called [[tElock]].

The Sobig.F worm deactivated itself on September 10, 2003. On November 5 the same year, [[Microsoft]] announced that they will pay $250,000 for information leading to the arrest of the creator of the Sobig worm. Ruslan Ibragimov is attributed to be the original creator of the worm, however this is not confirmed.[https://www.eweek.com/security/who-wrote-sobig/#:~:text=Ruslan%20Ibragimov%20of%20Moscow%2C%20Russia,team%2C%20authored%20the%20Sobig%20virus.]