Sobig virus may be the tip of the iceberg

Sobig.C is already spreading rapidly around the world, and experts are warning that it may be succeeded in a few days by yet another upgrade.

A variant of the Sobig worm appeared over the weekend and is now spreading rapidly. This is the third Sobig variant to hit the internet this year, and security experts believe more variants may already be in the pipeline.

Security analysts said the new version, W32/Sobig.C-mm, had already reached a "high level" outbreak status by mid-afternoon on Monday.

Because of the increasing spread of the virus, McAfee has upgraded its risk assessment of Sobig.C to medium.

The worm's main impact is to mass-mail itself to email addresses found in address books on the system, but such worms, when successful, can use large amounts of bandwidth. These can also be difficult to root out, because they spread via desktop PCs with minimal security.

Like its predecessor, Sobig.B, also known as Palyh or Mankx, the current worm also connects to the internet and attempts to download hacking software onto the victim's computer.

The sites contacted by Sobig.C are not active, but Messagelabs said that the virus writer could activate them later.

Mark Toshack, a virus analyst with Messagelabs, speculated that the virus writer might be purposefully releasing a series of short-term worms in order to improve his or her technique. Sobig.B appeared in mid-May and had a cut-off date of 30 May, and the current worm will not propagate on a computer whose clock reads 8 June or later; another variant may appear around that date, Toshack said. "He may be refining the virus."

Sobig.C on Monday rose to the number two rank in Messagelabs' list of virus threats, although it is far behind the year-old W32/Yaha.E-mm, in the top spot, which infected about 63,000 emails over the past weekend alone. Sobig.A, dating from January, was in the number five spot.

Sobig.C uses the same mass-mailing engine as its predecessors to propagate. Messages appear to come from bill@microsoft.com or another spoofed email address. The email can have one of several subject lines, such as "Approved" "Re: 45443-343556" or "Re: Application", while the body always reads: "Please see the attached file". The attachment is called "document.pif", "screensaver.scr" or another similar name, using a .pif, .txt or .scr extension.

However, the file is actually an executable. Besides spreading by email, it also copies itself to the "startup" directories on other computers on the network.

Matt Broersma writes for News.com