Sobig the worst worm ever

The Sobig virus deluging users' inboxes again this week is the largest epidemic of a mass-mailing worm to date, according to figures from anti-virus firms.

Email filtering company MessageLabs said by Tuesday it had intercepted more than a million messages carrying the virus, while rival Postini trapped 2.6 million in 24 hours. Scott Petry, VP of products and engineering for Postini, said: "This is the fastest [virus] that we have seen." He said the company typically stops only around 500,000 email messages a day that carry viruses. The computer virus continues to clog up corporate email systems with every message having to be digitally checked for the virus before being passed on to the recipient's computer. MessageLabs said one in every 17 messages contains the Sobig virus - far more then the normal 1-in-275 ratio or 1-in-138 ratio that the previous top threat, Klez.H, had produced.

Sobig.F, like previous versions of the virus, uses an email address other than the victim's as the apparent source of email messages that it sends to spread itself. Many anti-virus systems send an alert that notifies the apparent sender of viral email messages that they are infected, even when the malicious program is known to forge the source's email address. The result: More spam to clog the internet's arteries. Petry said: "We chose to not respond to spam or viruses, because it can quickly turn into a denial of service attack."

AOL also had to deal with an avalanche of email. On any given day, the consumer internet service provider normally receives about 11 million email messages with attachments that need to be checked. On Tuesday, the company took in about 31 million such messages, about 11.5 million of which carried the Sobig.F virus, according to an AOL representative. The Sobig.F virus spreads by harvesting emails from web pages and from the address book of an infected computer. It sends a copy of itself to the addresses in an email message with subject lines such as "Your Details," "Re: Approved," and "Thank you!" The virus also spreads by copying itself to shared network hard drives that are accessible to the infected computer. The virus has caused headaches for administrators at the Massachusetts Institute of Technology, the US Department of Defense and many other companies. But the virus - like the previous versions - has an expiration date built in and this variant is set to stop spreading on 10 September.

But rather than comfort internet service providers, that fact made administrators worried that the people who wrote the Sobig family of viruses were learning with each variant. Mark Sunner, CTO at MessageLabs, said in a statement: "The Sobig virus writer's use of an inbuilt expiry date indicates that he is committed to inventing new and improved versions. Each variant released so far has exceeded the previous one in growth and impact during the critical initial window of vulnerability."

Robert Lemos writes for CNET News.com