Sobig Variant Spreads

The Sobig.C virus may only be days old but reports on Monday indicated that the latest form of the Sobig worm has already reached 84 countries.

Sobig.C, also known as w32.sobig.c@mm, is another form of the Sobig worm and arrives via e-mail, affecting users running Microsoft's software.

It is gaining notoriety for featuring a Microsoft e-mail address from the company's technology support desk and even pretends to be the founder of the company, using the address bill@microsoft.com.

Once executed, it will try to forward itself to any address found on the infected computer through its own simple mail transfer protocol engine. The virus will also attempt to download Trojan-horse files from a Web site that is inactive.

Traffic Troubles

While not malicious or able to destroy files, the worm specifically targets e-mail traffic. "This threat will attempt to send itself to e-mail addresses that it finds in a variety of files that it searches on your hard drive...It will cause e-mail traffic to become overloaded as we've seen in the past with more high profile e-mail threats," said Steve Trilling, senior director of research at Symantec in Santa Monica, California.

The e-mail's subject line could include any of the following: Approved; Re: 45443-343556; Re: Application; Re: Movie; Re: Screensaver; Re: Submitted (004756-3463); or Re: Your application.

The virus is the third variation of the original Sobig virus. According to reports from Central Command, Sobig.B lead all viruses in May and was responsible for 22.4 per cent of all confirmed infection reports. Sobig.C was discovered on May 31 and is expected to circulate until June 8 because that is how the virus was written.

Still Spreading

Symantec on Monday said it had received a worldwide reported total of 539 submissions for the latest virus, 12 of which were from corporate customers, said Trilling. But he cautioned that corporations tend not to report an accurate number, saying that an organization may count thousands of infected e-mails as only one hit. The company currently has the virus listed as a three out of five on its danger threat radar. By comparison, Sobig.B reportedly hit 24 corporations on its first day.

Tom Slodichak, the chief security officer at Toronto-based WhiteHat, agreed that Sobig.C is not a malicious virus but is a "mass re-mailer." The problem, he said, is how fast the worm is proliferating.

"We're a little concerned in that this new bit of social engineering is hood winking a lot of people into opening the e-mail and clicking on the attachment and that's causing for a lot of spread."

Symantec and WhiteHat are among some security vendors that have already updated their signature files to stop Sobig.C from spreading.