Sobig worm spreading fast

The rapid spread of the Sobig computer virus has surprised antivirus software companies, forcing them to upgrade their threat...

The rapid spread of the Sobig computer virus has surprised antivirus software companies, forcing them to upgrade their threat ratings.

The worm uses e-mail and shared network folders to infect machines running Microsoft's Windows operating system, said antivirus company F-Secure.

The worm came to the attention of antivirus companies last week and began spreading slowly. The past few days, however, the virus has spread more rapidly.

F-Secure gave the worm a Level 2 ranking yesterday (14 January), indicating that it is "causing large infections" and putting it in a category with well-known predecessors such as the Klez worm.

On Monday (13 January), Symantec's Security Response upgraded Sobig from a category 2 to a "moderate" category 3 threat.

Sobig arrives in e-mail messages from a single sender, "[email protected]" and is stored in attached executable files with names such as "Sample.pif", "Untitled1.pif" and "Movie_0074.mpeg.pif".

When opened, the worm places a copy of itself into the Windows folder on the infected machine, creates a process to run the worm program and modifies the Windows registry so that the worm program will be launched whenever Windows is started.

Once it has infected a machine, the worm searches for e-mail addresses in a variety of text files on the computer's hard drive. Those addresses are used to send out more copies of the worm.

Sobig also searches for any shared folders on networks that the infected machine may have access to and places a copy of itself in any network folder it can access.

Although the worm does not appear to steal sensitive information from the computers it infects, F-Secure warned that Sobig does connect to a Web site hosted by Yahoo!'s GeoCities, from which it tries to download and execute other files.

The GeoCities Web page used by Sobig was modified recently to instruct the worm to download a trojan program known as Backdoor.Delf, which gives the virus writer and others control of infected machines, said Mikko Hyppönen, manager of antivirus research at F-Secure.

GeoCities has been notified about the page by F-Secure as well as the CERT Coordination Center, according to Hyppönen. Yahoo! was not immediately available to comment on the Sobig worm.

The success of Sobig since it first appeared surprised Hyppönen, who said it is a comparatively simple worm that lacks many of the sophisticated features that allow a new generation of viruses to spread.

Most antivirus software vendors last week updated their software to identify Sobig.

Read more on Hackers and cybercrime prevention