Advertisement
Promo

Security threats Toolkit

Sobig rears its head again

Staff, CNETAsia CNETAsia

Published: 19 Aug 2003 14:45 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The Sobig email virus that caused havoc two months ago has reappeared in a virulent new form, according to email service provider MessageLabs.

The firm has given it a high-level alert status as it appears to be spreading very vigorously.

The new worm, codenamed W32/Sobig.F-mm, appeared on Monday, according to the firm. All copies came from the US. So far, the worm has been active in the US, Denmark and Norway. Anecdotal evidence suggests that it has also spread to Asia Pacific. MessageLabs on Tuesday reported that 21 percent of cases were in the UK. The Sophos Web site indicated that the antivirus firm had received "many reports of this worm from the wild."

"Initial analysis would suggest that Sobig.F is a mass-emailing virus that is spreading very vigorously. Sobig.F appears to be polymorphic in nature. The address is also spoofed and may not indicate the true identity of the sender," according to a MessageLabs statement.

The sender appears to be someone from a recognised domain name, such as ibm.com, zdnet.com or Microsoft.com. The subject line typically says "Re: Details", "Resume" or "Thank you".

Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, and document_9446.pif.

The virus grabs email addresses from several different locations on a computer, including the Windows address book and Internet cache, and sends emails to each one. The virus also forges the source of the message using a randomly selected email address, so that the infected message appears to come from someone else.

Sobig.F is more efficient than previous versions of the virus in sending email addresses, according to MessageLabs' analysis, because the email engine that it uses to send email is "multi-threaded." While earlier versions of the virus had to wait for a task, or thread, to be completed, Sobig.F can send multiple emails at the same time, making it a much more efficient spam engine.

In an attempt to bypass local antivirus security, the file size varies on each generation by appending rubbish to the end of the file, but is on average around 74Kb in size, according to MessageLabs.

News.com's Robert Lemos contributed to this report.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
70 out of 155 people found this useful


Full Talkback thread

1 comment

  1. And so this crazy summer continues with yet anothe... Andy Campbell

Company/Topic Alerts

Create a new alert from the list below:



Video icon

Video

Sentry Posts Blog

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Beware of keeping your head in the clo...

Information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in... More

1 comment

Civil liberties groups attack file-sha...

Civil liberties and digital rights organisations have strongly criticised Lord Mandelson's Digital Economy Bill. Liberty said in a position paper on Tuesday that the bill, part of... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters