Turn of the worm

Another variant of the Sobig worm has been detected by security firms, just a week after Sobig.d hit the headlines.

Despite being a non-destructive mass mailer worm, Sobig.e 'seems potentially more virulent than previous variants', according to security vendor Clearswift's ThreatLab Manager newsletter.

Computer Associate's virus research manager Jakub Kaminski said that-- based on the amount of submissions and samples collected from the wild--sobig.e 'is one of the most successful sobig variants'. Kaminski said his team had seen 'quite a few infections on its first day', and added that it's still not known whether infection activity has peaked, or will continue to increase.

Like its earlier incarnations, Sobig.e spreads via a network or through e-mail. In the latter case, Trend Micro said it used its own SMTP (Simple Mail Transfer Protocol) engine and gathers target e-mail addresses from files with the following extensions: .wab, .dbx, .htm,. html,. eml and .txt.

TrendMicro said it could also spoof a sending address. The worm initially appeared to be from 'support@yahoo.com', but could also appear to be from any other e-mail address that it found on an infected system.

As an e-mail, the worm comes with a variety of subject headings quite often containing 'RE' to appear to be a reply from a known sender, such as 'Re: Movie' and 'Re: Attachment.' The body of the message states: 'Please see the attached zip file for details'.

Due to an increased rate of submissions, Symantec upgraded this threat from a “category 2” to a “Category 3”, on a scale where "5" is the largest threat.

Interestingly, the worm itself is packaged as a compressed zip file containing a single copy of the worm with a .pif or .exe extension. According to security firms, infection occurs when the file within the zip is launched.

Security firms said this use of zip creates an added danger as there have been few viruses that have propagated in this way. Zip is quite often used by business, but many users may not have the option to scan this particular type of compressed file enabled in their antivirus software.

By using zip, it appears that the worm writer was trying to get around standard security practices in use at most businesses, according to Andrew Gordon, managed services architect at TrendMicro.

Gordon said users should be on the alert for something nastier popping up down the track. “Usually these non destructive may be the first cab off the rank for a particular hacker,” he said.