The "Sobig" Worm Is Back

02 Jun 2003
Virus News


Kaspersky Lab, an international data security software developer, reports the detection of a new version of the network worm "Sobig". Considering the wide spread of previous versions, Kaspersky Lab' experts fear the likelihood of a recurrent large-scale epidemic. Already there have been numerous registered infections from the new version of this malicious program. From the time of the first appearance of the "Sobig" worm in mid January 2003 three versions have been identified and indexed as 'A', 'B' and 'C'. Despite this, in the May compilation of the twenty most widespread viruses (http://www.kaspersky.com/news.html?id=978792) Sobig has managed to confidently outpace such infamous titans as "Klez" and "Lentin" (aka "Yaha"). The "Sobig" worm spreads itself via e-mail in the form of a file attachment as well as over local area networks. To spread over LANs Sobig copies itself to shared network drives, while via e-mail the worm scans infected computers for files containing e-mail addresses and then clandestinely sends copies of itself to the found addresses. To draw users into launching the file attachment containing the infected code, "Sobig" employs various social engineering techniques, among which is a message disguised as a technical support message sent from Microsoft. Of the collateral effects caused by Sobig, it is essential to note the worm's ability to download and install from a remote Web-servers updated versions of itself as well as to impregnate infected systems with spyware programs. "Sobig.b" (aka "Palyh") essentially breathed new life into the worm and is the main reason Sobig was able to rise to the highest position in May's accounting of the most widespread virus programs. Still, this version's code contains a time trigger: if the system date on an infected computer surpasses May 31, the worm automatically shuts down all its functions except for its ability to download additional files. This characteristic fundamentally doomed "Sobig.b" as the web-server from which it retrieves its updates has been closed down. "Sobig.c", the worm's newest version is virtually identical to its predecessors, though it is operable only until June eighth, after which it is diffused. "One gets the impression that the creation of 'doomed worms' is somehow a trait of the virus author's particular style; unfortunately the whereabouts of this author are not yet known," commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. "Perhaps we can assume that the next array of worms to appear in this 'Never-ending Story' will be active only until June 16, 23, 30 etc." The defense against this malicious program has already been added to the Kaspersky® Anti-Virus database. More detailed information about all three "Sobig" versions can be found in the Kaspersky Virus Encyclopedia by clicking on their respective names below: Sobig.a
Sobig.b (aka Palyh)
Sobig.c