W32.Sobig.E@mm [aka: Win32.Sobig.E [CA], W32/Sobig-E [Sophos], W32/Sobig.e@MM [McAfee], WORM_SOBIG.E [Trend]]

From: support@yahoo.com (NOTE: W32.Sobig.E@mm spoofs this field. It could be any address.)

Subject: The subject line will be one of the following:

* Re: Application
* Re: Movie
* Re: Movies
* Re: Submitted
* Re: ScRe:ensaver
* Re: Documents
* Re: Re: Application ref 003644
* Re: Re: Document
* Your application
* Application.pif
* Applications.pif
* movie.pif
* Screensaver.scr
* submited.pif
* new document.pif
* Re: document.pif
* 004448554.pif
* Referer.pif


Attachment: The attachment name will be one of the following:

* your_details.zip (contains details.pif)
* application.zip (contains application.pif)
* document.zip (contains document.pif)
* screensaver.zip (contains sky.world.scr)
* movie.zip (contains Movie.pif)

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode)
Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
cftrb32.exe
rssp32.dat
Delete unusual executables from the following folders:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
C:\Windows\All Users\Start Menu\Programs\Startup\
Edit the registry
Delete the "SFtrb Service" value from
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
Reboot the system

Removal Tool