A new variant of Sobig-E began to spread rapidly Wednesday, traveling as a commonly used file type for businesses.
U.K.-based e-mail filtering outsourcer MessageLabs had stopped 24,515 copies of the worm as of 9 a.m. EDT today. It was handily the most active worm of the preceding 24 hours, with nearly twice the volume of Klez-H, the second most prevalent.
Technically, Sobig-E does act much like its brethren after it infects a system. However, it travels via e-mail as a Zip file attachment. Most companies allow such files in. Many companies strip .exe, .pif and .scr files at the gateway, which would prevent infection from most worms, including past Sobig variants.
Sobig-E does not cause damage to infected computers, but it does generate more network traffic, which could lead to denial-of-service conditions. Most of the leading antivirus vendors had elevated Sobig-E to a high risk as of early this morning.
Blocking Zip files is probably not an option for most companies. "It's not something that would take a large amount of time, but I'm not sure it would be acceptable practice for businesses," said Craig Schmugar, a virus research engineer with McAfee Security.
Companies that block executable files often tell their employees to Zip such files in order to send them around. "Most people today know not to open .vbs or .scr files," said Chris Wraight, technology consultant for antivirus software vendor Sophos Inc. "But they think Zip files are OK to open."
Most antivirus scanners can check Zip files for worms, but some users turn off that functionality for perceived performance reasons, Schmugar said.
On the social engineering front, Sobig-E doesn't break any new ground. It arrives with a subject line like "Re: Application" and "Re: Movie." The message text politely asks recipients to "Please see the attached Zip file for details."
A user would need to do more than just double-click on the attached worm. Because it's Zipped, the worm file would have to be extracted and then run. Generally, there are two ways files can be unZipped. They can be extract and saved to a user-specified location on the hard drive, such as the desktop. Such files can also be unZipped and opened automatically; in these cases, the file is saved in a temporary file.
When infecting a system, Sobig-E does similar things as its siblings. It drops two files into the system. One is an 85 KB copy of itself, winssk32.exe, and the other is a configuration file, msrrf.dat. The worm also makes changes to the registry so the worm is run every time the system is booted up.
The worm also harvests e-mail addresses from a variety of files, such as text documents and cached Web pages stored on the hard drives of infected systems. The worm then sends copies of itself out to the addresses using its own SMTP (Simple Mail Transfer Protocol) engine.
Additionally, Sobig-E can spread via open network file shares. It tries to copy itself to the following paths
"\Documents and Settings\All Users\Start Menu\Programs\Startup" and "Windows\All Users\Start Menu\Programs\Startup".
Like other Sobig variants, the new one will have a finite life. The worm is coded to stop spreading July 14. It's hard to say why the writer would purposely code the seeds of the worm's destruction within it. It could be that the author wants to just test out the worm or figures it will be squashed by the antivirus vendors by that date anyway. "I don't have a solid answer for. It is really strange," Wraight said.
FOR MORE INFORMATION: