Anti-virus security firms on Monday increased the alert level for the latest
variant of the SoBig e-mail worm after it spread rapidly over
the weekend, targeting machines in about 84 countries.
The mass-mailing virus, which masquerades as an e-mail from
[email protected], is similar to former variants of the SoBig worm
family. But a new network worm component has been added to SoBig.C to speed up the spread of the virus over open shared networks and preconfigured default startup locations on networked computers.
Security consultants iDefense has validated more than 30,000
interceptions of the worm, which has been programmed to stop spreading
on June 8. However, the company warned that SoBig.C is capable to sending
infected e-mails from machines because of incorrectly configured clock
F-Secure also increased the
alert level for the worm, which collects e-mail addresses from various
files on the infected computer and sends the infected e-mails with variable
subjects, content, filenames and file sizes.
To send infected messages, F-Secure warned that SoBig.C makes a direct
connection to the default SMTP server and steals e-mail addresses from .TXT,
.EML, .HTML, .HTM, .DBX, .WAB files in all directories on all available
“In addition to the e-mail spreading, SoBig.C will search for Windows
machines within the infected Local Area Network and will try to copy itself
to their Startup folder. This will fail unless users are sharing their
Windows directories with write access a thing that should never be done,”
the company said.
F-Secure product manager Mikael Albrecht said an interesting pattern was
detected with the latest variant of the SoBig worm. SoBig.B, which was
detected in the wild sparingly just weeks ago, was programmed to die on May
31. That’s the same day that SoBig.C was found.
“SoBig.C is programmed to die on June 8th so time will tell if we can
expect SoBig.D to make its first appearance after that”, Albrecht noted.
has also upgraded the SoBig.C threat from a
Category 2 to a Category 3 while McAfee now rates it a “medium risk”