Sobig.E@MM worm spreading around globe

The latest version of the Sobig worm is making its way through computer networks around the world, apparently causing no direct damage but hogging bandwidth and IT resources in its path.

The new worm, called W32.Sobig.E@MM, has been showing up around the globe since yesterday, according to Graham Cluley, senior technical consultant for antivirus software vendor Sophos PLC in Oxford, England. So far, it’s only annoying, but it could be a precursor to more serious and damaging attacks, he said.

The worm affects network PCs that run the Windows 95/98/Me and Windows NT/2000 operating systems, according to Sophos. It spreads by scouring an infected computer’s hard drive for e-mail addresses in address books or even Web browser cache files, then sends itself out to the addresses it finds. It can spoof its sender’s address, so the recipients believe they are receiving a message from someone they know.

This is the latest in a series of Sobig worms in recent months, Cluley said. The new version is being sent as a .zip file, perhaps to allow it to spread in corporate environments where .exe and other file types are automatically blocked in incoming e-mails, he said. “It’s hard to speculate” why the new approach was taken, he said.

While the virus does no actual harm, the spoofed messages can elicit anger from customers and users who receive the worm, Cluley said. He noted that a future version of the worm could be used to set up infected machines for relaying spoofed messages that could be used for destructive purposes.

The new worm is set to automatically time itself out and stop spreading on July 14, according to Sophos. One reason for the ending date, Cluley said, is that the virus creator may believe that it would provide a good defence if he is caught and prosecuted. “In our minds, that’s nonsense, because a virus like this can spread around the world in a matter of hours,” which makes an ending date a moot issue, he said.

Marty Lindner, a team leader for incident handling at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, said the rapid spread of the worm since yesterday means recipients are still opening files in messages even when they have been warned countless times in the past that it’s unsafe to do so.

The virus apparently spread too quickly for the antivirus vendors to react and update their antivirus products, he said.

“This is a good indication of the viruses winning” this round, Lindner said. “You can’t always rely on antivirus as the silver bullet.” Users need to pay more attention to incoming files and e-mail and not open files if they’re not expecting to receive them for specific reasons, he said.

Also posting warnings, information and fixes for the Sobig-E worm are vendors Symantec Corp. and McAfee Security.

The subject line of the worm identifies itself as an application, movie, document, screensaver or application, in addition to other variants.

The prior version, SoBig-D was first seen last week. Earlier versions of the worm, such as W32/Sobig-C and W32/Sobig-B, would sometimes purport to come from Bill Gates at Microsoft or Microsoft technical support, according to Sophos. [Please see Sobig.C getting bigger.]