June 26, 2003 12:23 PM PDT

Latest Sobig variant getting bigger

Related Stories

Sobig spawns a recipe for secret spam

June 25, 2003

Microsoft takes spam fight to court

June 17, 2003

Damage control

February 6, 2003
The latest variant of the Sobig virus continued to spread Thursday, underscoring how mass-mailing computer viruses can still be a nuisance.

In the past 24 hours, the virus, known as Sobig.E, mainly has affected U.S. computer users, according to e-mail service provider MessageLabs. The company, which filters e-mail messages and removes viruses and spam for clients, reported 70 percent of the Sobig.E-infected messages came from the United States. Another 18 percent came from U.K. sources.

"Certainly yesterday, it had everything to do with the time zone," said Mark Sunner, chief technology officer at MessageLabs. "It kicked off when the U.S. was just starting its working day." Sunner added that the virus appears to have been released by an online vandal in the United States.

Sobig.E has been quite successful at spreading and has jumped to the top of MessageLab's daily list of most-seen attachments. However, its reach so far has fallen short of recent viruses such as Bugbear.B, which accounted for almost 32,000 e-mail attachments in its first 24 hours. Sobig.E accounted for fewer than 25,000, Sunner said.

Antivirus companies are expressing moderate concern for how fast the virus has spread. Security software firm Symantec raised its rating of the virus to a middle-of-the-road "3" on its five-level threat rating. Rival Network Associates assigned a "moderate" threat rating to the virus.

"We are still getting a lot of submissions" from companies reporting the variant, said Craig Schmugar, a virus research engineer for Network Associates. While submissions from companies have fallen, the virus apparently has sent a significant number of copies of itself to the antivirus firms in the regular course of spreading.

Sobig.E, like other versions of the virus, appears in a recipient's in-box with the subject line "Re: Movie" or "Re: Application." The body of the message states: "Please see the attached zip file for details." The malicious program is contained in an 80KB attachment to the message. It infects any PC running a Microsoft Windows operating system when the attachment is opened.

The virus grabs e-mail addresses from several different locations on a computer, including the Windows address book and Internet cache, and sends e-mails to each one. The virus also forges the source of the message using a randomly selected e-mail address, so that the infected message appears to come from someone else.

Sobig.E is more efficient than previous version of the virus in sending e-mail addresses, according to MessageLabs' analysis, because the e-mail engine that it uses to send e-mail is "multi-threaded." While earlier versions of the virus had to wait for a task, or thread, to be completed, Sobig.E can send multiple e-mails at the same time, making it a much more efficient spam engine.

The virus has hit home users harder than companies. Vincent Weafer, senior director of Symantec's security response team, said home users are 10 times more likely to report the virus.

"That matches what we have seen with other variants of Sobig," Weafer said.

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.