Sobig spawns a recipe for secret spam
Now spreading worldwide, a new variant of the Sobig worm could allow spammers to use infected PCs to send bulk e-mail that can't be traced back to its source.
Initial analysis by antivirus companies indicated that the mass-mailing computer worm, called Sobig.E, doesn't have a malicious payload. However, e-mail service provider MessageLabs believes spammers will use the virus's mail program on victims' computers to send anonymous messages.
"This is almost certainly being precipitated by a spammer that is trying to create more open relays to send spam," said Mark Sunner, chief technology officer for the New York-based company.
An open relay is a computer that accepts e-mail bound for other destinations and then resends the messages anonymously. Using open relays allows spammers to hide the location from which they are sending bulk e-mail.
While there is no concrete proof that Sobig.E has been created and released by a spammer, Sunner said that many bulk e-mailers are already using computers infected with a previous variant of the computer virus to avoid leaving traces. Moreover, the fact that Sobig.E has an expiration date--it will stop spreading on July 14--suggests that the creator doesn't want its infection to turn into a full-blown epidemic, he said.
In reality, the program is spreading quite successfully as a Zip-compressed e-mail attachment. Copies of the worm have been seen in 16 countries--including the United States, the United Kingdom and the Netherlands--according to MessageLabs. The virus had produced less than 1,000 e-mail messages from infected computers in the first few hours, said Sunner. That's much smaller than Sobig.C, which was responsible for 32,000 e-mail messages containing the virus in its first 24 hours.
The virus appears in a recipient's in-box with the subject line "Re: Movie" or "Re: Application." The body of the message states, "Please see the attached zip file for details." The malicious program is contained in an 80KB attachment to the message. It infects any PC running a Microsoft Windows operating system when the attachment is opened.
Antivirus software maker Symantec planned to update its antivirus definitions midday on Wednesday to detect and remove Sobig.E. The company rated the virus a "2" on its five-point scale, with "5" being the largest threat. More than 30 of the Cupertino, Calif., company's clients had reported the virus to Symantec, said Sharon Ruckman, senior director of the company's security response team.
"That's pretty significant on the corporate side," she said.
To prevent infecting their computer, e-mail users shouldn't open attachments, even from people known to them, unless they specifically asked for the file first.