This is the third Sobig variant to hit the Internet this year, and the experts believe more variants may already be in the pipeline, as the virus is set to self-terminate on June 8.
The new version, W32/Sobig.C-mm, had already reached a "high level" outbreak status by Monday, according to security analysts. U.K.-based MessageLabs, which offers e-mail outsourcing to companies around the world, said it had stopped nearly 17,000 copies of the virus in the past 48 hours, placing the virus in the No. 2 position on the company's list of most-prevalent viruses.
The worm is able to mass mail itself to e-mail addresses found in address books on the system. Such worms, when successful, can use large amounts of bandwidth. These can also be difficult to root out because they spread via desktop PCs with minimal security.
Like its predecessor,, the current worm connects to the Internet and attempts to download hacking software onto the victim's computer.
The sites contacted by Sobig.C are not active, but MessageLabs said that the virus writer could activate them later. "He may just be playing possum," said Mark Toshack, a virus analyst with MessageLabs.
Toshack speculated that the virus writer might be purposefully releasing a series of short-term worms in order to improve his or her technique. Sobig.B appeared in mid-May and had a cut-off date of May 30, and the current worm will not propagate on a computer whose clock reads June 8 or later. Another variant may appear around that date, Toshack said. "He may be refining the virus."
Sobig.C on Monday rose to the No. 2 spot in MessageLabs' list of virus threats, although it is far behind the year-old W32/Yaha.E-mm, in the top spot, which infected about 63,000 e-mails over the past weekend alone. Sobig.A, , was in the No. 5 spot.
Sobig.C uses the same mass-mailing engine as its predecessors to propagate. Messages appear to come from firstname.lastname@example.org or another spoofed e-mail address. The e-mail can have one of several subject lines, such as "Approved," "Re: 45443-343556" or "Re: Application." The body always reads: "Please see the attached file." The attachment is called "document.pif", "screensaver.scr" or a similar name, using a .pif, .txt or .scr extension.
However, the file is actually an executable. Besides spreading by e-mail, it also copies itself to the "startup" directories on other computers on the network.
Because of the increasing spread of the virus, McAfee has upgraded its risk assessment of Sobig.C to medium.
To find out how to remove the Sobig.C worm from your system, click here.
ZDNet UK's Matthew Broersma reported from London.