Sobig worm stomps on PCs

A new mass-mailing virus is on the loose, and has grown quickly over the weekend

Antivirus experts are warning of a new virus, code-named W32/Sobig.A, which was discovered late last week and spread rapidly over the weekend. By Monday morning, Sobig was the third most prevalent virus on the Internet, according to UK-based email security firm MessageLabs.

Sobig is a mass-mailing worm incorporating its own SMTP engine, according to antivirus companies. It arrives from the email address "big@boss.com" and bears a subject line such as "Re: here is that sample", "Re: Movies", "Re: Document" or "Re: Sample". The email contains an attachment called "Document003.pif", "Sample.pif", "Untitled1.pif" or "Movie_0074.pif".

It affects the Windows 95, 98, Me, NT, 2000 and XP platforms. The worm was originally not considered a serious threat, but has been upgraded due to its rapid spread.

When the attachment is clicked on, it runs a program that searches for files containing email addresses and uses these to send infected emails. It also connects to a Web site and downloads a text file containing another Web address, from which it attempts to download and run another program. MessageLabs speculated that this program was a backdoor trojan horse, which could allow a hacker to take control of the user's PC.

If there is a local-area network connection, Sobig attempts to copy itself onto shared network folders.

It was first detected on Thursday in the Netherlands, according to MessageLabs, and is most active in the Netherlands, the UK and the US.

The worm has spread rapidly despite its reliance on an attachment that must be downloaded and launched by a user. However, many experts are predicting the imminent appearance of viruses that are able to infect millions of computers in a matter of minutes or seconds by attacking server vulnerabilities directly, without human intervention.

Last week's Lirva worm, which is still in MessageLabs' top five list, also spread through "social engineering" -- tricking users into launching a damaging program.

Sophos, Symantec and McAfee have published instructions for blocking and removing the worm.


For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.