Computer Crime Research Center

Sobig worm stomps on PCs
(By Matthew Broersma)

Antivirus experts are warning of a new virus, code-named W32/Sobig.A, which was discovered late last week and spread rapidly over the weekend. By Monday morning, Sobig was the second most prevalent virus on the Internet, according to e-mail security firm MessageLabs.

Sobig is a mass-mailing worm incorporating its own SMTP engine, according to antivirus companies. It arrives from the e-mail address "" and bears a subject line such as "Re: here is that sample", "Re: Movies", "Re: Document" or "Re: Sample". The e-mail contains an attachment called "Document003.pif", "Sample.pif", "Untitled1.pif" or "Movie 0074.pif".

It affects the Windows 95, 98, Me, NT, 2000 and XP platforms. The worm was originally not considered a serious threat, but has been upgraded due to its rapid spread.

When the attachment is clicked on, it runs a program that searches for files containing e-mail addresses and uses these to send infected e-mails. It also connects to a Web site and downloads a text file containing another Web address, from which it attempts to download and run another program. MessageLabs speculated that this program was a backdoor trojan horse, which could allow a hacker to take control of the user's PC.

If there is a local-area network connection, Sobig attempts to copy itself onto shared network folders.

It was first detected on Thursday in the Netherlands, according to MessageLabs, and is most active in the Netherlands, the UK and the United States.

The worm has spread rapidly despite its reliance on an attachment that must be downloaded and launched by a user. However, many experts are predicting the imminent appearance of viruses that are able to infect millions of computers in a matter of minutes or seconds by attacking server vulnerabilities directly, without human intervention.

Last week's Lirva worm, which is still in MessageLabs' top five list, also spread through "social engineering"--tricking users into launching a damaging program.

Sophos, Symantec and McAfee have published instructions for blocking and removing the worm.

Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at +38 061 220 12 83