W32.Sobig.E@mm Virus if you need help

[Hellfighter]

if you need help to remove it here a tool to do it with and information on it:
"W32.Sobig.E@mm removal tool click-here"

General Info on it:
From: support @ yahoo.com

(NOTE: W32.Sobig.E@mm spoofs this field. It could be any address.)

Subject: The subject line will be one of the following:
Re: Application
Re: Movie
Re: Movies
Re: Submitted
Re: ScRe:ensaver
Re: Documents
Re: Re: Application ref 003644
Re: Re: Document
Your application
Application.pif
Applications.pif
movie.pif
Screensaver.scr
submited.pif
new document.pif
Re: document.pif
004448554.pif
Referer.pif


Attachment: The attachment name will be one of the following:
Your_details.zip (contains Details.pif)
Application.zip (contains Application.pif)
Document.zip (contains Document.pif)
Screensaver.zip (contains Sky.world.scr)
Movie.zip (contains Movie.pif)

NOTE: The worm de-activates on July 14, 2003, and therefore, the last day on which the worm will spread is July 13, 2003.

Reason for this i got a E-Mail to day with it in it Norton Antivirus stop it dead use the tool to double check it that its been stop anyway playing it safe did not find it at all.
save me a big time headack the tool ran for 2-4min then reported all clear did not find it at all in my system

this is what it can do:
When W32.Sobig.E@mm is executed, it performs the following actions:


Copies itself as %Windir%\winssk32.exe.

NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.


Creates the file, %Windir%\msrrf.dat.


Adds the value:

"SSK Service"="%Windir%\winssk32.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

so that W32.Sobig.E@mm runs when you start Windows.


If the operating system is Windows NT/2000/XP, then the worm will also add the value:

"SSK Service"="%Windir%\winssk32.exe"

to the registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run


Counts the Network Resources and copies itself across the network to the following folders:
Windows\All Users\Start Menu\Programs\StartUp
Documents and Settings\All Users\Start Menu\Programs\Startup

Sobig.E can download arbitrary files to infected computers and execute them. The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers.

This functionality may also be used as a worm self-update feature. Under the correct conditions, Sobig.E attempts to contact one of the list of master servers, which the author of the worm controls. Then, the worm retrieves a URL that it uses to determine where to get the Trojan file, downloads the Trojan file to the local computer, and then executes it.

more info:
http://securityresponse.symantec.com...obig.e@mm.html