SoBig.F virus spreads email havoc

 

Gallery

By Alun Williams

Posted on 21 Aug 2003 at 11:40

SoBig.F is being described as the fastest spreading email virus yet. The long-standing virus has spread aggressively around the world, according to the latest reports.

MessageLabs, the email security specialists, rates the SoBig.F threat as 'High Risk' and says it is spreading 'vigorously'.

Indeed, it tracked more than one million occurrences of the virus over a twenty-four hour period. Surpassing the rate of the previous fastest ever (Lovebug). MessageLabs estimates that as many as one in seventeen emails sent in the world could currently be affected by the virus. This could rise to a staggering ration of 1:15.

The email worm copies itself into the Windows folder of PCs as winppr32.exe, searches files on the hard drive to extract email addresses and then sends out infected mails. Posing with a variety of subject lines and various attached files, the virus also spoofs the From field of infected emails, hiding the true identity of the sender. All of which makes it harder to identify.

Paul Woods, Chief Information Security Analyst at MessageLabs, pointed out a number of factors that make this sixth-generation version of SoBig so virulent. First, it now takes advantage of SMTP multi-threading to more efficiently process its emailing duties - instead of dealing with 100 addresses (for example) one by, it will process them in bulk.

Second, the virus writers have actually corrected some bugs in their code. Before, the infected attachments sometimes had their filename extensions truncated, .zip files became .zi, for example. This meant that a proportion of users who may have activated the attachment would have been frustrated by Windows' inability to recognise the attachment. This has now been fixed, increasing the likelihood of its spread.

SoBig first appeared back in January 2003. And still by June, Sobig-E was causing problems to computer systems around the world - Sobig, so long lasting .

To keep IT departments busy, there is another virus on the block, but one currently operating at a much smaller scale. Be aware of Dumaru-A, which is just beginning its life. This email worm, which carries its own SMTP engine to spread itself further, attempts to infect all executables on an infected computer with copies of itself.

The message appears to be sent from '"Microsoft" ' and has a subject line of 'Use this patch immediately !'. The attached file is patch.exe. More info on Dumaru-A can be found on the Sophos website.