New Sobig virus strikes round the world

A variant of the Sobig worm appeared over the weekend and is now spreading rapidly. This is the third Sobig variant to hit the Internet this year, and security experts believe more variants may already be in the pipeline. Security analysts said the new version, W32/Sobig.C-mm, had already reached a "high level" outbreak status by mid-afternoon on Monday. Messagelabs, which offers email outsourcing to companies around the world, said it had stopped nearly 17,000 copies of the virus as of 14:00 British Summer Time, with 47 percent of those in the UK. Because of the increasing spread of the virus, McAfee has upgraded its risk assessment of Sobig.C to medium. The worm's main impact is to mass-mail itself to email addresses found in address books on the system, but such worms, when successful, can use large amounts of bandwidth. These can also be difficult to root out, because they spread via desktop PCs with minimal security. Like its predecessor, Sobig.B, also known as Palyh or Mankx, the current worm also connects to the Internet and attempts to download hacking software onto the victim's computer. The sites contacted by Sobig.C are not active, but Messagelabs said that the virus writer could activate them later. "He may just be playing possum," said Mark Toshack, a virus analyst with Messagelabs. Toshack speculated that the virus writer might be purposefully releasing a series of short-term worms in order to improve his or her technique. Sobig.B appeared in mid-May and had a cut-off date of 30 May, and the current worm will not propagate on a computer whose clock reads 8 June or later; another variant may appear around that date, Toshack said. "He may be refining the virus." Sobig.C on Monday rose to the No. 2 rank in Messagelabs' list of virus threats, although it is far behind the year-old W32/Yaha.E-mm, in the top spot, which infected about 63,000 emails over the past weekend alone. Sobig.A, dating from January, was in the No. 5 spot. Sobig.C uses the same mass-mailing engine as its predecessors to propagate. Messages appear to come from bill@microsoft.com or another spoofed email address. The email can have one of several subject lines, such as "Approved" "Re: 45443-343556" or "Re: Application", while the body always reads: "Please see the attached file". The attachment is called "document.pif", "screensaver.scr" or another similar name, using a .pif, .txt or .scr extension. However, the file is actually an executable. Besides spreading by email, it also copies itself to the "startup" directories on other computers on the network.

ZDNet UK's Matthew Broersma reported from London.