ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

Sobig virus rampage targets UK

• Tags:
• Viruses,
• Sobig.c,
• Messagelabs

Published: 04 Jun 2003 08:00 BST

• 
• 
• 
• 
• 

The latest variant of the Sobig computer virus picked up speed on Tuesday, accounting for about 32,000 email messages during 3 June, according to email service provider MessageLabs.

The surge in email messages containing the worm pushed Sobig.C to the top position on the UK company's list of most prevalent threats. As of Wednesday morning, MessageLabs said its servers have stopped just over 84,000 copies of the worm since it was first detected over the weekend.

The third variant of the Sobig worm really adds nothing new, said Vincent Gullotto, vice president of the antivirus emergency response team at computer security company Network Associates. "The only thing I find interesting is that after the first two people, users were still opening and clicking on this," he said.

Network Associates raised Sobig.C's rating to a medium threat on Sunday, following a surge in customer reports of the infectious program. The company says it is getting 30 to 50 submissions of the virus from customers every day.

On Monday, the virus accounted for almost 34,000 email attachments blocked by MessageLabs' mail gateway. The United Kingdom accounted for nearly half of all email traffic caused by the worm, while the second-largest pool of victims -- the United States -- accounted for about a sixth.

The number of email messages sent by systems infected with the Sobig variant is only an indirect measure of the program's spread across the Internet. However, the data is perhaps the best currently available indicator of the number of infected systems.

Sobig.C infects Windows 95, 98, Me, NT, 2000 and XP systems when users open an attachment after receiving an email generated by the program. The email appears to come from several different addresses -- including bill@microsoft.com -- and contains any of the following subject lines: "Approved", "Re: 45443-343556", "Re: Application", "Re: Approved", "Re: Movie", "Re: Screensaver", "Re: Submited (004756-3463)" and "Re: Your application".

Once opened, the virus program will spread to any networked hard drive shared with the compromised system and search the current computer for email addresses to which it will send a copy of itself. If the date is 8 June or later, the virus won't try to spread.

---

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed

• Most Recent
• Most Popular