Sobig Sequel Not Welcome

A comeback by a baseball team is exhilarating. A comeback by an Internet worm is about as welcome as a screen door on a submarine. Which is just about the way analysts are greeting the news that Sobig, the worm which wreaked no small havoc in cyberspace earlier this year, has returned in what e-mail service provider MessageLabs describes as a more virulent form than the first series.

But MessageLabs reported they first captured the new Sobig variant – called W32/Sobig.F-mm – from within the United States August 18, and that the new Sobig has been spotted in Great Britain, Norway, and the Netherlands, among other places. The company says it has captured about 46,308 copies from 67 countries total of the new Sobig as of August 19, and are classifying it a high-risk worm for now.

"Initial analysis would suggest that Sobig.F is a mass-e-mailing virus that is spreading very vigorously," said MessageLabs in an official statement. "Sobig.F appears to be polymorphic in nature. The address is also spoofed and may not indicate the true identity of the sender." The company said the sender resembles someone from recognized domain names like IBM.com, ZDNet.com, Microsoft.com, and others, with typical subject lines being "Re: Details," "Resume," or "Thank you."

The new e-mails' attachment names can include your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, and document_9446.pif, MessageLabs continued, with the virus snatching e-mails from different locations on your computer including Windows address books and Internet caches, sending e-mails to each one. The new variant can also forge message sources with randomly-selected e-mail addresses, making the tainted message seem to come from someone else, the company added.

And because the engine it uses to send the e-mail is what MessageLabs calls "multithreaded," Sobig-F is more efficient than the earlier versions that snaked around cyberspace in May and June, able to send multiple e-mails at once rather than waiting for tasks or threading to do it, the company said.