August 19, 2003 8:47 AM PDT

World squirms as Sobig returns

The Sobig e-mail virus that caused havoc two months ago has reappeared in a virulent new form, according to e-mail service provider MessageLabs.

The company has given the virus a high-level alert status because of its rapid spread.

The new worm, code-named W32/Sobig.F-mm, appeared Monday, according to the company. All copies came from the United States. So far, the worm has been active in the United States, Denmark and Norway. Anecdotal evidence suggests that it has also spread to Asia-Pacific.

MessageLabs on Tuesday reported that 21 percent of cases were in the United Kingdom. The Sophos Web site indicated that the antivirus company had received "many reports of this worm from the wild."

"Initial analysis would suggest that Sobig.F is a mass-e-mailing virus that is spreading very vigorously. Sobig.F appears to be polymorphic in nature. The address is also spoofed and may not indicate the true identity of the sender," a MessageLabs statement said.

The sender appears to be someone from a recognized domain name, such as ibm.com, zdnet.com or microsoft.com. The subject line typically says "Re: Details," "Resume" or "Thank you."

Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, and document_9446.pif.

The virus grabs e-mail addresses from several different locations on a computer, including the Windows address book and Internet cache, and sends e-mails to each one. The virus also forges the source of the message using a randomly selected e-mail address so that the infected message appears to come from someone else.

Sobig.E is more efficient than previous versions of the virus in sending e-mail addresses, according to MessageLabs' analysis, because the e-mail engine that it uses to send e-mail is "multithreaded." While earlier versions of the virus had to wait for a task, or thread, to be completed, Sobig.E can send multiple e-mails concurrently, making it a much more efficient spam engine.

In an attempt to bypass local antivirus security, the file size varies on each generation by appending rubbish to the end of the file but is on average about 74KB, according to MessageLabs.

CNETAsia staff reported from Singapore. CNET News.com's Robert Lemos contributed to this report.

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.