The firm has given it a high-level alert status as it appears to be spreading very vigorously.
The new worm, codenamed W32/Sobig.F-mm, appeared on Monday, according to the firm. All copies came from the US. So far, the worm has been active in the US, Denmark and Norway. Anecdotal evidence suggests that it has also spread to Asia Pacific. MessageLabs on Tuesday reported that 21 percent of cases were in the UK. The Sophos Web site indicated that the antivirus firm had received "many reports of this worm from the wild."
"Initial analysis would suggest that Sobig.F is a mass-emailing virus that is spreading very vigorously. Sobig.F appears to be polymorphic in nature. The address is also spoofed and may not indicate the true identity of the sender," according to a MessageLabs statement.
The sender appears to be someone from a recognised domain name, such as ibm.com, zdnet.com or Microsoft.com. The subject line typically says "Re: Details", "Resume" or "Thank you".
Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, and document_9446.pif.
The virus grabs email addresses from several different locations on a computer, including the Windows address book and Internet cache, and sends emails to each one. The virus also forges the source of the message using a randomly selected email address, so that the infected message appears to come from someone else.
Sobig.F is more efficient than previous versions of the virus in sending email addresses, according to MessageLabs' analysis, because the email engine that it uses to send email is "multi-threaded." While earlier versions of the virus had to wait for a task, or thread, to be completed, Sobig.F can send multiple emails at the same time, making it a much more efficient spam engine.
In an attempt to bypass local antivirus security, the file size varies on each generation by appending rubbish to the end of the file, but is on average around 74Kb in size, according to MessageLabs.
News.com's Robert Lemos contributed to this report.
Talkback
And so this crazy summer continues with yet another worm/virus! By the begining of the last century those people who lived in houses had doors to allow entry and exit from the building. By the begining of this century most people had become used to locking those doors to keep out unwanted intruders. Let's hope the IT world wakes up pretty soon! All of this unwanted malicious code can be kept out by applying the PC version of the locked door... Reflex Disknet Pro! It does not need updating to account for new variants or versions of these worms/viruses and can provide much more protection than simply preventing malicious code. Sorry to be making such a blatant plug for our software but it really is this easy to be rid of the menace of malicious software!