X

Sobig worm keeps on growing

The latest variant of the mass-mailing malicious program continues to spread, say security experts, claiming the top spot on a list of virus threats.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
The latest variant of the Sobig computer virus picked up speed on Tuesday, accounting for nearly 32,000 e-mail messages in the last 24 hours, according to e-mail service provider MessageLabs.

The surge in e-mail messages containing the worm pushed Sobig.C to the top position on the U.K. company's list of most prevalent threats.

The third variant of the Sobig worm really adds nothing new, said Vincent Gullotto, vice president of the antivirus emergency response team at computer security company Network Associates

"The only thing I find interesting is that after the first two people, users were still opening and clicking on this," he said.

Network Associates raised Sobig.C's rating to a medium threat on Sunday, following a surge in customer reports of the infectious program. The company says it is getting 30 to 50 submissions of the virus from customers every day.

On Monday, the virus accounted for almost 34,000 e-mail attachments blocked by MessageLabs' mail gateway. The United Kingdom accounted for nearly half of all e-mail traffic caused by the worm, while the second-largest pool of victims--the United States--accounted for about a sixth.

The number of e-mail messages sent by systems infected with the Sobig variant is only an indirect measure of the program's spread across the Internet. However, the data is perhaps the best currently available indicator of the number of infected systems.

Sobig.C infects Windows 95, 98, Me, NT, 2000 and XP systems when users open an attachment after receiving an e-mail generated by the program. The e-mail appears to come from several different addresses--including bill@microsoft.com--and contains any of the following subject lines: "Approved," "Re: 45443-343556," "Re: Application," "Re: Approved," "Re: Movie," "Re: Screensaver," "Re: Submited (004756-3463)," and "Re: Your application."

Once opened, the virus program will spread to any networked hard drive shared with the compromised system and search the current computer for e-mail addresses to which it will send a copy of itself. If the date is June 8 or later, the virus won't try to spread.