ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

Sobig rears its head again

• Tags:
• MessageLabs,
• W32/Sobig.F-mm,
• Sobig.F,
• Virulent

Staff, CNETAsia CNETAsia

Published: 19 Aug 2003 14:45 BST

• 
• 
• 
• 
• 

The Sobig email virus that caused havoc two months ago has reappeared in a virulent new form, according to email service provider MessageLabs.

The firm has given it a high-level alert status as it appears to be spreading very vigorously.

The new worm, codenamed W32/Sobig.F-mm, appeared on Monday, according to the firm. All copies came from the US. So far, the worm has been active in the US, Denmark and Norway. Anecdotal evidence suggests that it has also spread to Asia Pacific. MessageLabs on Tuesday reported that 21 percent of cases were in the UK. The Sophos Web site indicated that the antivirus firm had received "many reports of this worm from the wild."

"Initial analysis would suggest that Sobig.F is a mass-emailing virus that is spreading very vigorously. Sobig.F appears to be polymorphic in nature. The address is also spoofed and may not indicate the true identity of the sender," according to a MessageLabs statement.

The sender appears to be someone from a recognised domain name, such as ibm.com, zdnet.com or Microsoft.com. The subject line typically says "Re: Details", "Resume" or "Thank you".

Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, and document_9446.pif.

The virus grabs email addresses from several different locations on a computer, including the Windows address book and Internet cache, and sends emails to each one. The virus also forges the source of the message using a randomly selected email address, so that the infected message appears to come from someone else.

Sobig.F is more efficient than previous versions of the virus in sending email addresses, according to MessageLabs' analysis, because the email engine that it uses to send email is "multi-threaded." While earlier versions of the virus had to wait for a task, or thread, to be completed, Sobig.F can send multiple emails at the same time, making it a much more efficient spam engine.

In an attempt to bypass local antivirus security, the file size varies on each generation by appending rubbish to the end of the file, but is on average around 74Kb in size, according to MessageLabs.

News.com's Robert Lemos contributed to this report.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed