• PC World
• »Security

The latest version of the Sobig worm is making its way through computer networks around the world, apparently causing no direct damage but hogging bandwidth and IT resources in its path.

The new worm, called W32.Sobig.E@MM, has been showing up around the globe since yesterday, according to Graham Cluley, senior technical consultant for antivirus software vendor Sophos in Oxford, England. So far, it's only annoying, but it could be a precursor to more serious and damaging attacks, he says.

The worm affects network PCs that run the Windows 95/98/Me and Windows NT/2000 operating systems, according to Sophos. It spreads by scouring an infected computer's hard drive for e-mail addresses, in address books and even in Web browser cache files, and then sending itself out to the addresses it finds. It can spoof its sender's address, so the recipients believe they have gotten a message from someone they know.

Hassle, Not Harm

This is the latest in a series of Sobig worms in recent months, Cluley says. The new version is being sent as a .zip file, perhaps to allow it to spread in corporate environments where .exe and other file types are automatically blocked in incoming e-mail messages, he says. "It's hard to speculate" why the new approach was taken, he says.

While the virus does no actual harm, the spoofed messages can elicit anger from customers and users who receive the worm, Cluley says. He notes that a future version of the worm could work to set up infected machines for relaying spoofed messages that could be used for destructive purposes.

The new worm is set to automatically time itself out and stop spreading on July 14, according to Sophos. One possible reason for the ending date, Cluley says, is that the virus creator may believe it would provide a good defense if he is caught and prosecuted. "In our minds, that's nonsense, because a virus like this can spread around the world in a matter of hours," which makes an ending date a moot issue, he says.

Caution Urged

Marty Lindner, a team leader for incident handling at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, says the rapid spread of the worm since yesterday means recipients are still opening files in messages even when they have been warned countless times in the past that it's unsafe to do so.

The virus apparently spread too quickly for the antivirus vendors to react and update their antivirus products, he says.

"This is a good indication of the viruses winning" this round, Lindner says. "You can't always rely on antivirus as the silver bullet." Users need to pay more attention to incoming files and e-mail, and must not open files if they're not expecting to receive them for specific reasons, he says.

Also posting warnings, information, and fixes for the Sobig-E worm are vendors Symantec and McAfee Security.

The subject line of the worm identifies itself as an application, movie, document, screen saver, or application, in addition to other variants.

The prior version, Sobig-D, was first seen last week. Earlier versions of the worm, such as W32/Sobig-C and W32/Sobig-B, would sometimes purport to come from Bill Gates at Microsoft or from Microsoft technical support, according to Sophos.