June got off to a rough start for IT security professionals as the Sobig virus made a mutated comeback and spread rapidly both here and abroad, according to experts.
The virus watchers at e-mail security vendor MessageLabs raised their highest level of alert late yesterday as infections from the new W32/Sobig.c-mm continued to rise. By last night, the firm had intercepted nearly 35,000 copies of the malicious code in more than 100 countries.
According to Mark Sunner, CTO at MessageLabs, the latest Sobig is a mass e-mail virus that uses its own built-in SMTP engine to propogate using a spoofed return address picked up from an infected harddrive or defaulting to "firstname.lastname@example.org." Sunner said the virus spread quickly in Europe and Asia and was expected to continue to infect machines in the U.S. today.
Sobig is a close relative to its namesake predecessor which spread rapidly in January. That virus carryies one of eight subject lines:
Re: Submited (004756-3463)
Re: Your application
The message body is always "see attached file."
Once the malicious payload is dropped, the worm goes through files on the infected machine looking for other e-mail addresses to target. Like the original Sobig, propagation also involves copying itself via network shares to standard Windows system folders , according to MessagleLabs. The worm also installs the file mscvb32.exe into the network shares. It includes a new registry key which enables the worm to run at start up.