The latest variant of the Sobig virus has the ability to spread across file-sharing networks as well as by email, making it the worst strain yet, experts warned on Tuesday afternoon.
Click here for help on eradicating the virus.
Email service provider MessageLabs has already detected 60,000 copies of Sobig.F, first spotted earlier on Tuesday. This variant could be one of the more active viruses of the year, said the company, adding that it could hit British computer users particularly hard. A third of viruses detected were in the UK.
According to Alex Shipp, senior antivirus technologist at MessageLabs, Sobig.F is easily the most powerful member of the Sobig family to date. Shipp believes that it has been released by the same virus writer who created the original Sobig, which hit the Internet in January this year.
"He's made a couple of tweaks. Previous Sobigs had a bug where the last letter of the file-name was dropped, which meant the file wouldn’t run. That's now been fixed," explained Shipp.
Another addition to Sobig.F's armoury is the ability to spread across file-sharing networks, Shipp said. He wasn't yet able to say which peer-to-peer applications are affected, but warned that this made Sobig.F a serious threat to home users. Businesses whose employees are running P2P software are also at risk, as this infection route is not normally covered by email scanners, which can otherwise catch Sobig.F.
When spreading by email, Sobig.F appears to have been sent from a recognised domain name, such as ibm.com, zdnet.com or Microsoft.com. The subject line typically says "Re: Details", "Resume" or "Thank you".
Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, and document_9446.pif.
The virus grabs email addresses from several different locations on a computer, including the Windows address book and Internet cache, and sends emails to each one. The virus also forges the source of the message using a randomly selected email address, so that the infected message appears to come from someone else.
Sobig.F is more efficient than previous versions of the virus in sending emails, according to MessageLabs' analysis, because the email engine that it uses is "multi-threaded". While earlier versions of the virus had to wait for a task, or thread, to be completed, Sobig.F can send multiple emails at the same time, making it a much more efficient spam engine.
In an attempt to bypass local antivirus security, the file size varies on each generation by appending rubbish to the end of the file, but is on average around 74Kb in size, according to MessageLabs.
Shipp believes that the email form of Sobig.F poses a greater threat to home users than to businesses, as "many firms will be blocking .pif files already".
Shipp added that the major antivirus firms should already be producing patches to address Sobig.F, and suggested that consumers would be advised to compare notes about how their antivirus protection worked, as some products have been much better than others at catching Sobig variants.
Sobig.E, which emerged in June, attempted to hijack PCs in order to use them to send spam emails. It is thought that Sobig.F does the same, which Shipp believes is proof that the virus writer is working closely with spammers. As most spammers live in the US, the odds are that the virus writer is based there as well, he said.
It's also unlikely that Sobig.F will be the last strain to emerge. "It is programmed to stop on 10 September, but by then there will be another variant out there," predicted Shipp.
CNET Asia staff and CNET News.com's Robert Lemos contributed to this story.
Talkback
Attacks through P2P networks?
Hmm, strange. Can we infer that there might be the hand of a certain group, rabidly opposed to P2P networks because it may negatew their ability to flim-flam musicians forever?
Did that group commisssion the virus writer. Given its penchant for underhanded chicanery, it is certainly worth a thought.
I believe I have been infected with sobig.F virus. Eventhough, I have never opened a .pif file.
At first, I was submerged with an abnormal amount of email. All of them were coming from a Denmark IP. They all came from different email address although the IP was the same. The message was always the same: "Please see the attached file for details." but the subject could vary and the attached file, always a .pif, could vary also. I have never opened one of these files.
On a second stage, I received a lot of undelivered mail. They were sent with my email address and they contained the virus. How could this be possible if I didn't open the attached .pif file? I believe this virus was (or is still) activated through P2P. I used recently Kazaa and eDonkey or was included in a freeware I recently installed (Foxmail, Hotpop, Mozilla Thunderbird, GRL Real Hidden, iOpus SEA).
I have checked (online scans) with Mcafee (didn't find anything. Online scan and Stinger), Panda (found the infected attachments) and others and I couldn't find any trace of the Sobig.F virus in the registry.
I have the bitter sensation that somebody is taking control of part of my computer.
If you use the preview pane in Outlook Express, you don't need to open an email to get a virus. Shut off the preview pane and go to your email options/security and check the box that says "Do not allow attachments to be saved or opened that could potentially contain a virus." I also check-mark the box that says "Alert me when other applications try to send mail as me." This (along with a virus scanner and firewall) should protect you from catching and spreading a virus. Keep Windows updated and download all the critical updates!
The worm uses false e-mail addresses when he copies itself--that is, it looks like it's coming from you, when it actually is stemming off someone elses computer. I had the same thing happen, but if you've checked for the .exe file in your WINNT folder & it isn't there, chances are you don't have it. Especially if you haven't opened a .pif file. Most of the websites I checked said the .pif files must be run manually in order to infect, so the worst effect you should have is a crap load of spam. Check out http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html for more info. Good luck!
do you use a preview paine?, not too sure on my facts, but that can preview attachments, hence running the virus.
Chris W