A new computer virus, Sobig, is spreading on the Internet, according to alerts posted by a number of antivirus software companies.
Sobig is a worm that uses e-mail and shared network folders to infect machines running Microsoft Corp.'s Windows operating system, according to information posted on the Web site of Helsinki antivirus company F-Secure Corp.
The worm arrives in e-mail messages from a single sender, "email@example.com" and is stored in attached executable files with names such as "Sample.pif," "Untitled1.pif" and "Movie_0074.mpeg.pif," according to F-Secure.
When opened, the worm places a copy of itself into the Windows folder on the infected machine, creates a process to run the worm program and modifies the Windows registry so that the worm program will be launched whenever Windows is started.
Once it has infected a machine, the worm searches for e-mail addresses in a variety of text files on the computer's hard drive. Those addresses are used to send out more copies of itself. Sobig also searches for any shared folders on networks that the infected machine may have access to and places a copy of itself in any network folder it can access.
Although the new worm does not appear to steal sensitive information from the computers it infects, antivirus companies warned that the worm does connect to a Web site hosted by Yahoo Inc.'s GeoCities, from which it tries to download and execute other files, according to F-Secure.
The GeoCities Web page used by Sobig was modified recently to instruct the worm to download a trojan program known as Backdoor.Delf that gives the virus writer and others control of infected machines, according to Mikko Hyppönen, manager of antivirus research at F-Secure.
GeoCities has been notified about the page by F-Secure as well as the CERT Coordination Center, according to Hyppönen. Yahoo was not immediately available to comment on the Sobig worm.
The worm first came to the attention of antivirus companies on Thursday and began spreading slowly, Hyppönen said.
In recent days, however, the virus has spread more rapidly and the number of machines infected by Sobig has grown.
As of Tuesday, F-Secure gave the worm a Level 2 ranking, indicating that it is "causing large infections" and putting it in a category with well-known predecessors such as the Klez worm.
Other antivirus companies upgraded their threat ratings for Sobig, as well. On Monday, Symantec Corp.'s Security Response upgraded Sobig from a category 2 to a "moderate" category 3 threat.
The success of Sobig since it first appeared surprised Hyppönen, who said that Sobig is a comparatively simple worm that lacks many of the sophisticated features that allow a new generation of viruses to spread.
For example, Sobig always arrives in e-mail messages from the same sender, "firstname.lastname@example.org," unlike recent successful worms such as Bugbear or Lirva, which generated their own sender addresses, swapped in trusted sender addresses from sources such as antivirus vendors, or selected them at random from a long list.
In addition, the Sobig e-mail messages use one of only a small number of subjects such as "Movie," "Sample," and "Document" and attachment names. Recent worms use a far larger list of possible subjects and attachment names or generate their own at random, making it harder for antivirus software to identify such threats, according to Hyppönen.
Finally, Sobig requires e-mail recipients to double click on the attachment containing the worm. Recent vintage worms like Lirva and Bugbear often take advantage of a Microsoft Internet Explorer and Outlook vulnerability known as the "IFrame exploit" that allows e-mail attachments to be launched without any user interaction when an e-mail message is opened or simply viewed in an e-mail preview pane.
"I don't know why its spreading. I cannot explain it at all," Hyppönen said.
Most antivirus software vendors updated their software to be able to identify Sobig by Thursday. With auto update features standard on such programs --and even without such features -- the Sobig filter was available to most users in plenty of time to stop the spread of the worm, Hyppönen said
One possible explanation is that, while not widespread, Sobig may be particularly effective at sending out copies of itself. Hyppönen said that an analysis he conducted of 20 Sobig-infected e-mail messages led back to just three infected machines.
A similar phenomenon was noted with the Klez worm when it first appeared, Hyppönen said.
While Sobig's outbreak has likely peaked, the worm was likely to linger on the Internet for a long time, Hyppönen said.
Antivirus software vendors posted instructions on their Web pages for removing Sobig from infected machines and recommended that all users update their virus definitions to protect against the new worm.