New virus on the prowl

20 Aug 2003

As the world recovers from last week’s MSBlast and this week’s Welchi worms, a new fast-spreading virus has begun infecting vulnerable computers and networks. So far more than 307,000 copies of the SoBig F virus have infected computer systems.

It is understood that the first version of the Sobig virus hit systems in June, but a new F variant has begun wreaking havoc.

The virus effectively exploits vulnerable, unsecured networks by spreading via email. The virus fakes an email address to disguise its origins and regularly changes its form and the subject lines of messages it creates to make it difficult to detect.

The virus, when it infects machines, harvests email addresses from Outlook address books and web page memory stores.

The suffix of the attachment bearing the virus also changes, but most often the malicious programme masquerades as a screen saver (.scr) or a Windows information file (.pif). The filename of the attached file also changes regularly making it harder to spot.

The email traffic generated by Sobig F is threatening to swamp some corporate networks that are already struggling to cope with the Welchi worm that scans for fresh hosts faster than last week’s MSBlast virus.

The virus has been seen in more than 130 countries and according to US-based MessageLabs more than 307,000 copies of the virus have been identified so far. It is understood to have a built-in timer that will stop it working on 10 September, 2003.

Email users are warned to be wary of messages bearing the subject lines: “Re: details”; “Re: approved”; “Re: Thank You”; “Re: Wicked Screensaver”; or “Your Details”.

By John Kennedy