3 min read

Sobig ... And Still So Bad

Experts say the E-mail-borne virus is showing the ability to update itself.
The Sobig E-mail virus spread unabated for a second day across the Internet, as security experts discovered Wednesday that the malicious program also had the ability to update itself.

The fourth variant of a worm first discovered in January appeared to be infecting PCs at the same rate as Tuesday, based on the number of people emailing the virus to anti-virus company Symantec Corp., which has listed Sobig as a "level-three" virus. Level five is the highest rating.

"It seems to be affecting consumers more than enterprises," Alfred Huger, senior director of engineering for Symantec's security response team, said. "Having said that, both are seeing significant amounts of the virus."

Network Associates Technology Inc., another anti-virus vendor, said three home PCs was being infected for each enterprise computer. Businesses typically move faster in protecting networks, updating anti-virus software and taking other security measures. Network Associates rated the virus a "high threat."

Code-named W32/Sobig.F-mm, the latest variant did not get a higher rating from Symantec because the worm was not as destructive to a computer as other viruses. However, Sobig is unusual in that it has the ability to go onto the Internet from its host PC and update itself with new capabilities, Huger said.

Those capabilities could include tools for denial-of-service attacks or relaying spam. "It's entirely up to the author (of the virus)," Huger said. "It can download whatever its heart desires."

Because the worm and its variants have been spreading for months, the author controls a vast network of PCs, but "what he or she is doing with them is still anybody's speculation," Huger said.

Sobig is also unusual in the number of variants. "The author has been very prolific," Huger said. "The variants were likely written by the same person."

Worms such as Sobig usually spread rapidly over the first two days, then slow as quickly as PC users update their anti-virus software. As of midday Tuesday, MessageLabs Inc., which provides E-mail services to companies, had intercepted more than 100,000 E-mails carrying the virus.

Worms embed software that enable hackers to take control of a PC or steal passwords. Sobig.F is arriving in E-mail under a subject line that typically says "Re: details," "details," "your details," "thank you," or "resume." The sender is disguised as someone that may be familiar to the recipient, such as the name of a company or person.

Once the attachment containing the virus is opened, Sobig steals E-mail addresses from several different locations on the computer, including the Windows address book and Internet cache, then sends copies of itself out to those addresses. The virus, which sends multiple E-mails concurrently, selects addresses randomly for use as the sender, attempting to fool recipients into thinking the E-mail is from a company or other legitimate source.

The attachments' names may include your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document.Fall.pif, application.pif, and document.9446.pif.

Because of its mass-mailing capabilities, Sobig can eat up bandwidth and slow a company's network performance. However, the virus isn't considered as malicious as others, since it doesn't delete files or damage an infected PC.

Nevertheless, the bigger danger lies in its ability to open a port in a computer, enabling a hacker to upload a Trojan. The small application can let a hacker take control of a computer or search for passwords in the system to break into people's online accounts.

Spammers also use Trojans to send out mass mailings through someone else's PC, hiding the originator of the spam. Because of the way Sobig is written, some anti-virus experts believe it is most likely the tool of a spammer.

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Jessica Davis, Senior Editor
Richard Pallardy, Freelance Writer
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Carlo Massimo, Contributing Writer
Salvatore Salamone, Managing Editor, Network Computing