The Sobig worm has a new addition to its malicious family.
Sobig-F is the latest variant of the Sobig worm to be detected spreading rapidly throughout the wild. The newest variant was first detected Monday, Aug. 18 and appears to have originated in the United States, according to analysts from MessageLabs, Inc., an anti-virus company based in New York.
Sobig-F is a mass-mailing worm that can also spread via network shares, according to Sophos, Inc., an anti-virus company based in Lynfield, Mass. When it arrives via email, the worm poses as a PIF or SCR file.
”The author of the Sobig worms has pulled this particular confidence trick several times before,” says Graham Cluley, senior technology consultant for Sophos. ”Many users know to be cautious about running unsolicited EXE files, but they should be equally wary about running PIF files or screensavers. All computer users should exercise caution when deciding what is safe to run on their computers.”
Analysts report that the sender’s address is spoofed. The subject lines used are taken from a list, including ‘Re: That movie’, ‘Re: Wicked screensaver’, ‘Re: Approved’ and ‘Your details’.
Like other variants of Sobig, the worm is programmed to stop working on a particular date. Sobig-F is designed to quit on Sept. 10.
”Putting a ‘dead-date’ on his viruses suggests that the Sobig author is effectively test-driving his creations to see which tricks work best from the technical and psychological point of view,” explains Cluley. ”Releasing Sobig variants on different days of the week, and using slightly different subject lines and filenames, suggests that the worm’s author may be trying to find the ‘perfect’ conditions under which his viruses can spread most quickly.”
The Sobig family of worms has been a major problem for IT managers, wreaking havoc on the Internet for months now. Last month, Sophos reported that the Sobig family accounted for more than half of all virus reports for July.
Five Sobigs have been released this year. Sobig-E, a new variant, accounted for 47.8 percent of all worm and viruses incidents reported to Sophos last month. And it accounted for nearly 18 percent at Central Command, Inc., an anti-virus company that also tracks the worst virus offenders.
Sophos analysts report that, combined, the Sobig worms have had the biggest impact on business networks so far this year.