Sobig Worm Getting Even Bigger

A new computer virus, Sobig, is spreading on the Internet, according to alerts posted by a number of antivirus software companies.

Sobig is a worm that uses e-mail and shared network folders to infect machines running Microsoft's Windows operating system, according to information posted on the Web site of Helsinki antivirus company F-Secure.

The worm arrives in e-mail messages from a single sender, big@boss.com, and is stored in attached executable files with names such as Sample.pif, Untitled1.pif, and Movie_0074.mpeg.pif, according to F-Secure.

Working Through Windows

When opened, the worm places a copy of itself into the Windows folder on the infected machine, creates a process to run the worm program, and modifies the Windows Registry so that the worm program will launch whenever Windows is started.

Once it has infected a machine, the worm searches for e-mail addresses in a variety of text files on the computer's hard drive. It uses those addresses to send out more copies of itself. Sobig also searches for any shared folders on networks that the infected machine may have access to and places a copy of itself in any network folder it can access.

Although the new worm does not appear to steal sensitive information from the computers it infects, antivirus companies warned that the worm does connect to a Web site hosted by Yahoo's GeoCities, from which it tries to download and execute other files, according to F-Secure.

The GeoCities Web page used by Sobig was modified recently to instruct the worm to download a Trojan horse program known as Backdoor.Delf that gives the virus writer and others control of infected machines, according to Mikko Hyppönen, manager of antivirus research at F-Secure.

GeoCities has been notified about the page by F-Secure as well as the CERT Coordination Center, according to Hyppönen. Yahoo was not immediately available to comment on the Sobig worm.

Increased Risk

The worm first came to the attention of antivirus companies on Thursday and began spreading slowly, Hyppönen said.

In recent days, however, the virus has spread more rapidly, and the number of machines infected by Sobig has grown.

As of Tuesday, F-Secure gave the worm a Level 2 ranking, indicating that it is "causing large infections" and putting it in a category with well-known predecessors such as the Klez worm.

Other antivirus companies upgraded their threat ratings for Sobig as well. On Monday, Symantec's Security Response upgraded Sobig from a category 2 to a "moderate" category 3 threat.

Simple Steps

The success of Sobig since it first appeared surprised Hyppönen, who said that Sobig is a comparatively simple worm that lacks many of the sophisticated features that allow a new generation of viruses to spread.

For example, Sobig always arrives in e-mail messages from the same sender, big@boss.com, unlike recent successful worms such as Bugbear or Lirva, which generated their own sender addresses, swapped in trusted sender addresses from sources such as antivirus vendors, or selected them at random from a long list.

In addition, the Sobig e-mail messages use one of only a small number of subjects--such as "Movie," "Sample," and "Document"--and attachment names. Recent worms use a far larger list of possible subjects and attachment names or generate their own at random, making it harder for antivirus software to identify such threats, according to Hyppönen.

Finally, Sobig requires e-mail recipients to double-click on the attachment containing the worm. Recent vintage worms like Lirva and Bugbear often take advantage of a Microsoft Internet Explorer and Outlook vulnerability known as the IFrame exploit, which allows e-mail attachments to launch without any user interaction when an e-mail message is opened or simply viewed in an e-mail preview pane.

"I don't know why it's spreading. I cannot explain it at all," Hyppönen said.

Stopping the Spread

Most antivirus software vendors updated their software to be able to identify Sobig by Thursday. With auto-update features standard on such programs--and even without such features--the Sobig filter was available to most users in plenty of time to stop the spread of the worm, Hyppönen said

One possible explanation is that, while not widespread, Sobig may be particularly effective at sending out copies of itself. Hyppönen said that an analysis he conducted of 20 Sobig-infected e-mail messages led back to just three infected machines.

A similar phenomenon was noted with the Klez worm when it first appeared, Hyppönen said.

While Sobig's outbreak has probably peaked, the worm was likely to linger on the Internet for a long time, Hyppönen said.

Antivirus software vendors posted instructions on their Web pages for removing Sobig from infected machines and recommended that all users update their virus definitions to protect against the new worm.