X

Security experts warn of worm variant

Sobig.C is already spreading rapidly around the world, and experts are warning that it may be succeeded in a few days by another upgrade.

Matthew Broersma Special to CNET News
See full bio
Matthew Broersma
2 min read
A variant of the Sobig worm that appeared over the weekend is now spreading rapidly, security experts have warned.

This is the third Sobig variant to hit the Internet this year, and the experts believe more variants may already be in the pipeline, as the virus is set to self-terminate on June 8.

The new version, W32/Sobig.C-mm, had already reached a "high level" outbreak status by Monday, according to security analysts. U.K.-based MessageLabs, which offers e-mail outsourcing to companies around the world, said it had stopped nearly 17,000 copies of the virus in the past 48 hours, placing the virus in the No. 2 position on the company's list of most-prevalent viruses.

The worm is able to mass mail itself to e-mail addresses found in address books on the system. Such worms, when successful, can use large amounts of bandwidth. These can also be difficult to root out because they spread via desktop PCs with minimal security.

Like its predecessor, Sobig.B, also known as Palyh or Mankx, the current worm connects to the Internet and attempts to download hacking software onto the victim's computer.

The sites contacted by Sobig.C are not active, but MessageLabs said that the virus writer could activate them later. "He may just be playing possum," said Mark Toshack, a virus analyst with MessageLabs.

Toshack speculated that the virus writer might be purposefully releasing a series of short-term worms in order to improve his or her technique. Sobig.B appeared in mid-May and had a cut-off date of May 30, and the current worm will not propagate on a computer whose clock reads June 8 or later. Another variant may appear around that date, Toshack said. "He may be refining the virus."

Sobig.C on Monday rose to the No. 2 spot in MessageLabs' list of virus threats, although it is far behind the year-old W32/Yaha.E-mm, in the top spot, which infected about 63,000 e-mails over the past weekend alone. Sobig.A, dating from January, was in the No. 5 spot.

Sobig.C uses the same mass-mailing engine as its predecessors to propagate. Messages appear to come from bill@microsoft.com or another spoofed e-mail address. The e-mail can have one of several subject lines, such as "Approved," "Re: 45443-343556" or "Re: Application." The body always reads: "Please see the attached file." The attachment is called "document.pif", "screensaver.scr" or a similar name, using a .pif, .txt or .scr extension.

However, the file is actually an executable. Besides spreading by e-mail, it also copies itself to the "startup" directories on other computers on the network.

Because of the increasing spread of the virus, McAfee has upgraded its risk assessment of Sobig.C to medium.

To find out how to remove the Sobig.C worm from your system, click here.

ZDNet UK's Matthew Broersma reported from London.