A new variant of the W32/SoBig worm hit the radar Wednesday, causing security consultants iDefense to predict that like its predecessors, the mass-mailing worm will become one of the top five most prevalent in the world within 48 hours.
So far, W32.Sobig.D@mm, or just SoBig.D, garners a “low” threat assessment from both Symantec and McAfee. Symantec noted that the worm is easily contained and easily removed.
The last variant, SoBig.C, was programmed to die on June 8. Many security experts expected to see SoBig.D make its appearance that same day, based on the pattern of previous variants of the SoBig worm.
SoBig.B was programmed to die on May 31. That’s the same day that SoBig.C was found.
“SoBig.C is programmed to die on June 8th so time will tell if we can expect SoBig.D to make its first appearance after that”, F-Secure product manager Mikael Albrecht told internetnews.com on June 2, after SoBig.C spread rapidly over a weekend, targeting machines in about 84 countries.
SoBig.D is slated to turn itself off on July 2.
“The author of the SoBig.D worm likely waited a few days after security experts published information expecting a new variant to appear on the kill date of SoBig.C,” said Ken Dunham, senior intelligence analyst for iDefense. “It’s truly amazing to watch a
series of worms be sequentially released, with such great success in the wild. SoBig.D spits in the face of traditional security measures, showing how important it is to have rapid response systems and intelligence programs in place to help respond to
such threats.”
While firms like Symantec and McAfee say the new worm’s threat rating is low, iDefense has concluded it has a moderate severity rating. “SoBig.D is quickly gaining ground in the wild,” Dunham said. “We recommend taking immediate action to mitigate this emerging threat. To effectively block against the e-mail component of this worm, simply block e-mail attachments such as .exe, .scr, and .pif at the gateway level.”
SoBig.D is a mass-mailing worm that sends itself to all the email addresses that it finds in files with the following extensions:
- .wab
- .dbx
- .htm
- .html
- .eml
- .txt
iDefense said it falsely claims to be sent by admin@support.com. The subject is one of the following: Re: Documents, Re: App. 00347545-002, Re: Movies, Application Ref: 456003, Re: Your Application (Ref: 003844), Re: Screensaver, Re: Accepted, or Your Application.
The message body asks the recipient to “See the attached file for details.” The attachments come with various names, including: Document.pif, app003475.pif, movies.pif, ref_456.pif, Application844.pif, Screensaver.scr, Accepted.pif, Applications.pif, and Application.pif.
iDefense said that if the malicious attachment is executed, SoBig.D attempts to install itself in the Windows directory as cftrb32.exe. It then attempts to modify the Windows registry to run the worm upon Windows startup and performs a mass mailing routine using its own SMTP server. SoBig.D also attempts to connect to a wide range of IP addresses, mostly related to universities worldwide, and also communicates on numerous ports such as UDP ports 995-999 and others.