The Sobig email virus spread unabated for a second day across the Internet, as security experts discovered Wednesday that the malicious program also had the ability to update itself.
The fourth variant of a worm first discovered in January appeared to be infecting PCs at the same rate as Tuesday, based on the number of people emailing the virus to anti-virus company Symantec, which has listed Sobig as a "level-three" virus. Level five is the highest rating.
"It seems to be affecting consumers more than enterprises," Alfred Huger, senior director of engineering for Symantec's security response team, said. "Having said that, both are seeing significant amounts of the virus."
Network Associates Technology, another anti-virus vendor, said three home PCs was being infected for each enterprise computer. Businesses typically move faster in protecting networks, updating anti-virus software and taking other security measures. Network Associates rated the virus a "high threat".
Code-named W32/Sobig.F-mm, the latest variant did not get a higher rating from Symantec because the worm was not as destructive to a computer as other viruses. However, Sobig is unusual in that it has the ability to go onto the Internet from its host PC and update itself with new capabilities, Huger said.
Those capabilities could include tools for denial-of-service attacks or relaying spam. "It's entirely up to the author (of the virus)," Huger said. "It can download whatever its heart desires."
Because the worm and its variants have been spreading for months, the author controls a vast network of PCs, but "what he or she is doing with them is still anybody's speculation," Huger said.
Sobig is also unusual in the number of variants. "The author has been very prolific," Huger said. "The variants were likely written by the same person."
Worms such as Sobig usually spread rapidly over the first two days, then slow as quickly as PC users update their anti-virus software. As of midday Tuesday, MessageLabs, which provides email services to companies, had intercepted more than 100,000 emails carrying the virus.
Worms embed software that enable hackers to take control of a PC or steal passwords. Sobig.F is arriving in email under a subject line that typically says "Re: details", "details", "your details", "thank you", or "resume". The sender is disguised as someone that may be familiar to the recipient, such as the name of a company or person.
Once the attachment containing the virus is opened, Sobig steals email addresses from several different locations on the computer, including the Windows address book and Internet cache, then sends copies of itself out to those addresses. The virus, which sends multiple emails concurrently, selects addresses randomly for use as the sender, attempting to fool recipients into thinking the email is from a company or other legitimate source.
The attachments' names may include your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document.Fall.pif, application.pif, and document.9446.pif.
Because of its mass-mailing capabilities, Sobig can eat up bandwidth and slow a company's network performance. However, the virus isn't considered as malicious as others, since it doesn't delete files or damage an infected PC.
Nevertheless, the bigger danger lies in its ability to open a port in a computer, enabling a hacker to upload a Trojan. The small application can let a hacker take control of a computer or search for passwords in the system to break into people's online accounts.
Spammers also use Trojans to send out mass mailings through someone else's PC, hiding the originator of the spam. Because of the way Sobig is written, some anti-virus experts believe it is most likely the tool of a spammer.
Copyright (c) 2003 CMP Media LLC