New Sobig on the rampage

The latest variant of the Sobig virus has the ability to spread across file-sharing networks as well as by email, making it the worst strain yet, experts warned on Tuesday afternoon.
Written by Graeme Wearden, Contributor

update The latest variant of the Sobig virus has the ability to spread across file-sharing networks as well as by email, making it the worst strain yet, experts warned on Tuesday afternoon.

Email service provider MessageLabs has already detected 60,000 copies of Sobig-F, first spotted earlier on Tuesday. This variant could be one of the more active viruses of the year, said the company, adding that it could hit British computer users particularly hard. A third of viruses detected were in the UK.

According to Alex Shipp, senior antivirus technologist at MessageLabs, Sobig-F is easily the most powerful member of the Sobig family to date. Shipp believes that it has been released by the same virus writer who created the original Sobig, which hit the Internet in January this year.

"He's made a couple of tweaks. Previous Sobigs had a bug where the last letter of the file-name was dropped, which meant the file wouldn’t run. That's now been fixed," explained Shipp.

Another addition to Sobig-F's armoury is the ability to spread across file-sharing networks, Shipp said. He wasn't yet able to say which peer-to-peer applications are affected, but warned that this made Sobig-F a serious threat to home users. Businesses whose employees are running P2P software are also at risk, as this infection route is not normally covered by email scanners, which can otherwise catch Sobig-F.

When spreading by email, Sobig-F appears to have been sent from a recognised domain name, such as ibm.com, zdnet.com or Microsoft.com. The subject line typically says "Re: Details", "Resume" or "Thank you".

Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, and document_9446.pif.

The virus grabs email addresses from several different locations on a computer, including the Windows address book and Internet cache, and sends emails to each one. The virus also forges the source of the message using a randomly selected email address, so that the infected message appears to come from someone else.

Sobig.F is more efficient than previous versions of the virus in sending emails, according to MessageLabs' analysis, because the email engine that it uses is "multi-threaded". While earlier versions of the virus had to wait for a task, or thread, to be completed, Sobig.F can send multiple emails at the same time, making it a much more efficient spam engine.

In an attempt to bypass local antivirus security, the file size varies on each generation by appending rubbish to the end of the file, but is on average around 74Kb in size, according to MessageLabs.

Shipp believes that the email form of Sobig-F poses a greater threat to home users than to businesses, as "many firms will be blocking .pif files already".

Shipp added that the major antivirus firms should already be producing patches to address Sobig-F, and suggested that consumers would be advised to compare notes about how their antivirus protection worked, as some products have been much better than others at catching Sobig variants.

Sobig-E, which emerged in June, attempted to hijack PCs in order to use them to send spam emails. It is thought that Sobig-F does the same, which Shipp believes is proof that the virus writer is working closely with spammers. As most spammers live in the US, the odds are that the virus writer is based there as well, he said.

It's also unlikely that Sobig-F will be the last strain to emerge. "It is programmed to stop on 10 September, but by then there will be another variant out there," predicted Shipp.

CNET Asia staff and CNET News.com's Robert Lemos contributed to this story.

Editorial standards