Virus warning: Sobig worm stomps on PCs

Sobig not so clever
Written by ZDNet Staff, Contributor

Sobig not so clever

A new virus, code-named W32/Sobig.A, is on the loose and spreading quickly, according to antivirus experts. The worm was discovered late last week and has spread rapidly over the weekend. By Monday morning, Sobig was the third most prevalent virus on the internet, according to UK-based email security firm MessageLabs. Sobig is a mass-mailing worm incorporating its own SMTP engine, according to antivirus companies. It arrives from the email address "big@boss.com" and bears a subject line such as "Re: here is that sample", "Re: Movies", "Re: Document" or "Re: Sample". The email contains an attachment called "Document003.pif", "Sample.pif", "Untitled1.pif" or "Movie_0074.pif". It affects the Windows 95, 98, Me, NT, 2000 and XP platforms. The worm was originally not considered a serious threat, but has been upgraded due to its rapid spread. When the attachment is clicked on, it runs a program that searches for files containing email addresses and uses these to send infected emails. It also connects to a website and downloads a text file containing another web address, from which it attempts to download and run another program. MessageLabs speculated that this program was a backdoor trojan horse, which could allow a hacker to take control of the user's PC. If there is a local-area network connection, Sobig attempts to copy itself onto shared network folders. It was first detected on Thursday in the Netherlands, according to MessageLabs, and is most active in the Netherlands, the UK and the US. The worm has spread rapidly despite its reliance on an attachment that must be downloaded and launched by a user. However, many experts are predicting the imminent appearance of viruses that are able to infect millions of computers in a matter of minutes or seconds by attacking server vulnerabilities directly, without human intervention. Last week's Lirva worm, which is still in MessageLabs' top five list, also spread through "social engineering" - tricking users into launching a damaging program. Sophos, Symantec and McAfee have published instructions for blocking and removing the worm. Matthew Broersma writes for ZDNet UK
Editorial standards