New Sobig virus threat

26 Aug 2003

Reports circulating suggest that a new version of the Sobig.F virus could arrive any day now, before the latest variant is timed to expire on 10 September.

The most recent version of Sobig, which hit systems last week, threatened to melt down the internet as we know it, crashing individuals’ PCs as well as corporate networks.

The first version of Sobig hit email boxes in January and had no expiration date. It was followed four months later by Sobig.B. More sophisticated versions, C, D and E followed one week to three weeks later.

The latest version, F, surfaced last week and spread to hundreds of thousands of PCs, with some 200 million infected emails sent over the internet by infected computers.

The virus exploits vulnerable, unsecured networks by spreading via email. The virus fakes an email address to disguise its origins and regularly changes its form and the subject lines of messages it creates, making it difficult to detect. When it infects machines, the virus harvests email addresses from Outlook address books and web page memory stores.

The suffix of the attachment bearing the virus also changes, but most often the malicious programme masquerades as a screen saver (.scr) or a Windows information file (.pif). The filename of the attached file also changes regularly making it harder to spot. Email users are warned to be wary of messages bearing the subject lines: “Re: details”; “Re: approved”; “Re: Thank You”; “Re: Wicked Screensaver”; or “Your Details”.

It is understood that infections have declined since the weekend. However, internet users have been warned to be on the look-out for the variant which is expected to spread before the 10 September expiry date on the Sobig.F virus.

By John Kennedy