De-Worming Mail Servers

Mass-mailed worms AIL enterprises.

Welcome to the summer of the Worm. Just eight days after Blaster began chewing its way through the Internet, another variant of the SoBig worm appeared last week, further burdening already-overworked IT and security staffs. As annoying and potentially dangerous as Blaster is, mass-mailing worms such as SoBig are perhaps worse from an enterprise perspective, thanks to their propensity for clogging mail servers and flooding users in-boxes with electronic flotsam.

Worm food

Recent outbreaks and their effects




342,000 copies seen


Approximately 400,000 machines infected


380,000-plus copies

Sources: MessageLabs, Symantec

Known as SoBig.F, the new variant behaves much like its older siblings, infecting Windows machines via e-mail and sending out dozens of copies of itself.

The variant began spreading on the morning of Aug. 19, and by noon, MessageLabs Inc. had stopped more than 100,000 copies. The virus size is approximately 73KB, and the attachment that actually contains the malicious code can carry any one of a number of names, according to iDefense Inc., a security company based in Reston, Va. To evade anti-virus scanners, SoBig.F has a few bytes of garbage at the end of the file, which changes the files size and characteristics.

This is the sixth version of SoBig to be released. Anti-virus experts say one of the main reasons virus writers continue to modify and re-release this particular piece of malware is that it downloads a Trojan horse to infected computers, which are then used to send spam. Spammers are constantly in need of new machines through which to route their garbage e-mail, and a virus makes a perfect delivery mechanism for the engine they use for their mass mailings.

The other reason that SoBig seems to be so popular with virus writers is that it works. Plain and simple, users continue to open attachments from people they dont know, even after repeated warnings not to do so.

"Six times a charm when it comes to SoBig, which certainly calls into question why these fairly simple malware attacks continue to successfully propagate," said Ian Hameroff, eTrust security strategist at Computer Associates International Inc., based in Islandia, N.Y.

SoBig.Fs arrival comes just eight days after the initial onset of the Blaster worm, which has infected several hundred thousand Windows PCs. Blaster, which exploits a flaw in the Remote Procedure Call Distributed Component Object Model interface on Windows 2000 and Windows XP machines, also spawned an imitator last week. A worm known as Blaster.D, or Nachi, began spreading Aug. 18, using the same flaw to compromise systems. Nachi, however, also removed the original Blaster worm from infected PCs and attempted to download and install the patch from Microsoft Corp. for the DCOM vulnerability.