January 13, 2003 1:00 PM PST
Sobig virus sows few PC problems
Dubbed W32/Sobig, the mass-mailing worm has claimed the No. 2 slot on MessageLabs' list of most-active malicious attachments, with the company capturing almost 10,000 copies of the virus from e-mails in the past 24 hours. However, those numbers fall short of those tallied by major computer-virus threats such as Klez, which retains the No. 1 slot on the e-mail service provider's list after nine months in circulation.
Like other Internet computer worms in the past year, Sobig has spread less among corporate users and more among home users--many of whom are uneducated about computer security, said Vincent Gullotto, vice president of security company Network Associates' antivirus emergency response team.
"It has hit the home-user space, as many have hit them in the past," he said. "It has jumped out of the box, just like several others have jumped out of the box. But it won't grow that big, and it will slowly fade away."
Network Associates ranked the Sobig virus as a "medium" threat to both corporate and home users, according to a company advisory. The virus can infect all versions of Microsoft's Windows operating system.
PC users will likely encounter the Sobig virus first as a PIF (process interchange format) e-mail attachment from firstname.lastname@example.org. The subject will typically be "Re: Movies," "Re: Sample," "Re: Document" or "Re: Here is that sample." If the attachment is opened, the program will attempt to copy itself to all available shared hard drives on the network to which the PC is attached. The virus will e-mail itself to the e-mail addresses found in the Windows address book and in several other file types as well.
The worm also has the ability to retrieve updates of itself from the Web. The latest update contains backdoor software that could allow an attacker to access the victim's PC.
Sobig has already become a bigger threat than the Avril worm that made moderate headway last week in spreading across the Internet. The worm, which may refer to singer Avril Lavigne and is also known as Lirva and Naith, still isn't considered a major threat.
"There is a certain pool of computers that are hotbeds for spreading malicious code," said Ken Dunham, senior intelligence analyst for threat analysis firm iDefense. "However, if you are good at updating your antivirus definitions, then you are pretty safe."
"I think you will see over the next few months many more of these types of viruses that spread to some extent, but nothing like the levels two years ago," he said.