Sign up for the Security newsletter

Virus warning: Sobig worm stomps on PCs

Sobig not so clever

By Matthew Broersma on 13 January 2003 16:02

NEWS A new virus, code-named W32/Sobig.A, is on the loose and spreading quickly, according to antivirus experts. The worm was discovered late last week and has spread rapidly over the weekend. By Monday morning, Sobig was the third most prevalent virus on the internet, according to UK-based email security firm MessageLabs. Sobig is a mass-mailing worm incorporating its own SMTP engine, according to antivirus companies. It arrives from the email address "big@boss.com" and bears a subject line such as "Re: here is that sample", "Re: Movies", "Re: Document" or "Re: Sample". The email contains an attachment called "Document003.pif", "Sample.pif", "Untitled1.pif" or "Movie_0074.pif". It affects the Windows 95, 98, Me, NT, 2000 and XP platforms. The worm was originally not considered a serious threat, but has been upgraded due to its rapid spread. When the attachment is clicked on, it runs a program that searches for files containing email addresses and uses these to send infected emails. It also connects to a website and downloads a text file containing another web address, from which it attempts to download and run another program. MessageLabs speculated that this program was a backdoor trojan horse, which could allow a hacker to take control of the user's PC. If there is a local-area network connection, Sobig attempts to copy itself onto shared network folders. It was first detected on Thursday in the Netherlands, according to MessageLabs, and is most active in the Netherlands, the UK and the US. The worm has spread rapidly despite its reliance on an attachment that must be downloaded and launched by a user. However, many experts are predicting the imminent appearance of viruses that are able to infect millions of computers in a matter of minutes or seconds by attacking server vulnerabilities directly, without human intervention. Last week's Lirva worm, which is still in MessageLabs' top five list, also spread through "social engineering" - tricking users into launching a damaging program. Sophos, Symantec and McAfee have published instructions for blocking and removing the worm. Matthew Broersma writes for ZDNet UK

Comments

There is 1 comment. Join the discussion

  1. 1. Ray Ward

    Britain's name frequently appears when the proliferation viruses is discussed. The English don't care about the kit they buy, keeping anything in good working order and defect free is an anathema (Note Private hire Taxi's). Installing ant virus is completely beyond the average user in the UK. The relatively young and (thought to be) technologically savvy too have problems with the technology sighting technical difficulties in doing the install but just plain apathy is probably the highest reason why viruses are so prolific in the UK. During the summer months of 2003 NTL where running almost continually instructions for removing the blaster virus in all probability because they were watching their bandwidth reach the endangered species mark. I cleaned or gave advice on removing the blaster virus to a number of people and still they let it backing. The point is does the internet community decide at some point that this e-mail or some download should not reach it's destination because it has the potential to bring the net to a slow crawl. And what government in the world wouldn't wish such unfettered power on them selves.

    • 24 February 2004 16:22
    • Add comment

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your silicon.com account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy.

Questions about membership? Find the answers in the Membership FAQ

Get silicon.com's daily newsletter

  • Register on silicon.com

    Enter your email to register

Keep in touch with silicon.com

silicon.com newsletters