Latest Sobig strain spreads rapidly

Antivirus companies have warned that the latest version of the Sobig virus is rapidly spreading on the internet.

Antivirus companies have warned that the latest version of the Sobig virus is rapidly spreading on the internet.

The worm, W32.Sobig.F, first appeared on yesterday (19 August), prompting antivirus software companies to release updated virus identity files to detect and stop the threat.

F-Secure rated Sobig.F a "Level 2 Alert", indicating a large number of infections. Sophos said that it had received "many reports" of the latest Sobig worm from customers.

The first Sobig worm appeared in January, infecting machines running Microsoft's Windows operating system.

Like that worm, Sobig.F spreads through infected e-mail message attachments and unprotected shared folders on computer networks, modifying a computer's operating system so that the Sobig.F worm code is run whenever Windows is started.

When opened, the worm places a copy of itself into the Windows folder on the infected machine, creates a process to run the worm program and modifies the Windows registry so that the worm program will be launched whenever Windows is started.

Sobig.F, like its predecessors, comes with its own SMTP (Simple Mail Transfer Protocol) engine which it uses to mail copies of itself to e-mail addresses it skims from file and e-mail address books on a victim's computer, Sophos said.

The worm arrives in e-mail messages with nondescript subjects such as "Re: Thank you!" "Your details" and "Re: wicked screensaver".

The worm code is stored in attached executable files with names such as "your_document.pif", "details.pif" and "movie0045.pif", according to F-Secure.

However, unlike earlier strains of Sobig, the F-strain is more savvy in its efforts to trick users into opening the infected file that launches the worm.

All versions of the original Sobig worm were sent from the same e-mail address, [email protected], and a later variant posed as an e-mail message from Microsoft chairman and chief software architect Bill Gates.

In contrast, Sobig.F inserts e-mail addresses stolen from the victim's computer into the "From:" field, creating the impression that the e-mail was sent from a trusted source.

Like earlier Sobig variants, Sobig.F comes with an expiry date. The worm will stop spreading on 10 September. Copies of Sobig.F that are launched after that date will shut down immediately, F-Secure said.

In the past, Sobig strains have appeared soon after previous strains expired.

Antivirus companies have recommend that customers update their antivirus software and have posted instructions and free tools for disinfecting machines infected by Sobig.

Paul Roberts writes for IDG News Service

Read more on IT risk management