Sobig worm getting bigger

A new computer virus, Sobig, is spreading on the Internet, according to alerts posted by a number of antivirus software companies.

Sobig is a worm that uses e-mail and shared network folders to infect machines running Microsoft Corp.'s Windows operating system, according to information posted on the Web site of Helsinki antivirus company F-Secure Corp.

The worm arrives in e-mail messages from a single sender, "" and is stored in attached executable files with names such as "Sample.pif," "Untitled1.pif" and "Movie_0074.mpeg.pif," according to F-Secure.

When opened, the worm places a copy of itself into the Windows folder on the infected machine, creates a process to run the worm program and modifies the Windows registry so that the worm program will be launched whenever Windows is started.

Once it has infected a machine, the worm searches for e-mail addresses in a variety of text files on the computer's hard drive. Those addresses are used to send out more copies of itself. Sobig also searches for any shared folders on networks that the infected machine may have access to and places a copy of itself in any network folder it can access.

Although the new worm does not appear to steal sensitive information from the computers it infects, antivirus companies warned that the worm does connect to a Web site hosted by Yahoo Inc.'s GeoCities, from which it tries to download and execute other files, according to F-Secure.

The GeoCities Web page used by Sobig was modified recently to instruct the worm to download a trojan program known as Backdoor.Delf that gives the virus writer and others control of infected machines, according to Mikko Hyppönen, manager of antivirus research at F-Secure.

GeoCities has been notified about the page by F-Secure as well as the CERT Coordination Center, according to Hyppönen. Yahoo was not immediately available to comment on the Sobig worm.

The worm first came to the attention of antivirus companies on Thursday and began spreading slowly, Hyppönen said.

In recent days, however, the virus has spread more rapidly and the number of machines infected by Sobig has grown.

As of Tuesday, F-Secure gave the worm a Level 2 ranking, indicating that it is "causing large infections" and putting it in a category with well-known predecessors such as the Klez worm.

Other antivirus companies upgraded their threat ratings for Sobig, as well. On Monday, Symantec Corp.'s Security Response upgraded Sobig from a category 2 to a "moderate" category 3 threat.

The success of Sobig since it first appeared surprised Hyppönen, who said that Sobig is a comparatively simple worm that lacks many of the sophisticated features that allow a new generation of viruses to spread.

For example, Sobig always arrives in e-mail messages from the same sender, "," unlike recent successful worms such as Bugbear or Lirva, which generated their own sender addresses, swapped in trusted sender addresses from sources such as antivirus vendors, or selected them at random from a long list.

In addition, the Sobig e-mail messages use one of only a small number of subjects such as "Movie," "Sample," and "Document" and attachment names. Recent worms use a far larger list of possible subjects and attachment names or generate their own at random, making it harder for antivirus software to identify such threats, according to Hyppönen.

Finally, Sobig requires e-mail recipients to double click on the attachment containing the worm. Recent vintage worms like Lirva and Bugbear often take advantage of a Microsoft Internet Explorer and Outlook vulnerability known as the "IFrame exploit" that allows e-mail attachments to be launched without any user interaction when an e-mail message is opened or simply viewed in an e-mail preview pane.

"I don't know why its spreading. I cannot explain it at all," Hyppönen said.

Most antivirus software vendors updated their software to be able to identify Sobig by Thursday. With auto update features standard on such programs --and even without such features -- the Sobig filter was available to most users in plenty of time to stop the spread of the worm, Hyppönen said

One possible explanation is that, while not widespread, Sobig may be particularly effective at sending out copies of itself. Hyppönen said that an analysis he conducted of 20 Sobig-infected e-mail messages led back to just three infected machines.

A similar phenomenon was noted with the Klez worm when it first appeared, Hyppönen said.

While Sobig's outbreak has likely peaked, the worm was likely to linger on the Internet for a long time, Hyppönen said.

Antivirus software vendors posted instructions on their Web pages for removing Sobig from infected machines and recommended that all users update their virus definitions to protect against the new worm.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

PC World
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?