Some unsuspecting people may find an e-mail appearing to come from Bill Gates in their inboxes this morning, but it's in fact a rapidly spreading variant of the Sobig worm.
Antivirus companies have upgraded Sobig-C because of how wide it is spreading. F-Secure has it on its highest rating, Radar Level 1. McAfee Security sees the worm as a medium risk for both home and business users. Symantec Corp. has it listed as a Category 3 threat.
U.K.-based e-mail filtering outsourcer MessageLabs intercepted 11,000 copies of the worm on Sunday. By midmorning Monday, the company had caught about 5,000 copies.
In many ways, Sobig-C is a pretty standard Internet worm. It sends e-mails with copies of itself as attachments using its own SMTP (Simple Mail Transfer Protocol) engine. Sobig can also spread via open network files shares. When infecting a system, it copies itself as "mscvb32.exe" locally and sets a registry key so it launches every time Windows starts. Sobig doesn't have a destructive payload.
After infecting a system, Sobig-C searches for e-mail addresses to harvest from the following file types: .wab, .dbx, .htm, .html, .eml and .txt. Harvesting e-mail addresses from a variety of files makes Sobig-C similar to Palyh, which gained some traction two weeks ago. Such functionality could affect experts' ability to estimate how much the worm is actually spreading, since one infected machines could literally send out thousands of messages, said Chris Wraight, technology consultant for antivirus software vendor Sophos.
Sobig-C also spoofs e-mail addresses, so a message appears to come from an address that was harvested from an infected system. In some cases, the worm arrives appearing to come from "email@example.com." "This should seem suspicious, as it's pretty unlikely Bill Gates will be sending you a message," Wraight said, noting also that Microsoft doesn't send executable files via e-mail.
The worm arrives attached to an e-mail message with a .pif or a .scr file extension. It uses variable subject lines such as "Approved," "Re: 45443-343556" and "Re: Your application." In all cases, the message text is simply: "Please see the attached file."
Protecting against Sobig-C isn't too difficult. Stripping .pif and .scr files at the gateway would stop it from getting through. Many companies do so already, since most don't have a business need to send and receive such files. Updating antivirus signature files is a definite must.
It's perhaps not surprising that Sobig-C made some traction, given the millions of people who are now using the Internet, said Vincent Gullotto, vice president of McAfee AVERT. "It's just a matter of probability and statistics that some will be fooled by it," he said.
Some end users who received Sobig-C may have mistaken the .pif extension for .gif, a common graphics file type, Gullotto said. "They haven't see it before, so they think it can infect them," he said.
Coincidentally, Sobig-C appeared on Saturday, the same day Sobig-B was set to stop working, said Mikael Albrecht, a product manager with antivirus software vendor F-Secure. Sobig-C is programmed to stop working on June 8.
Albrecht isn't sure why the writer set the worm to stop working. "It could be a sign that he or she knows virus writing is wrong and does not want it to spread forever," he said.
FOR MORE INFORMATION