Sobig Variant Making a Name for Itself

Sobig.E, which hides inside zipped file attachments, is doing most of its damage in the U.S.

Our long national nightmare continues.

Yet another variant of the persistent and malleable Sobig worm is on the loose. This one, dubbed Sobig.E, is distinct from its older brothers in that it hides inside zipped file attachments. Other than that, the worm is virtually identical to the other Sobig viruses that have been marauding across the Internet for several months.

But, despite its familiar infection method and repeated warnings from anti-virus companies about all of the Sobig worms, the new version is having a field day so far. Since the worms discovery Wednesday, e-mail security provider MessageLabs Inc., of New York, has stopped more than 27,000 copies of Sobig.E. The worm is doing most of its damage in the United States, with only a few infections occurring overseas.

The worm arrives in an e-mail message with one of several subject lines, including: Re: application, and Re: movie. The body text reads, "Please see the attached zip file for details." And the attachment is named "" The zipped file contains the infected .pif file.

Sobig.E also spoofs the "from" address on the messages it sends out from infected machines, disguising which PCs have been hit and making cleanup more difficult, according to an advisory published by Network Associates Inc.s McAfee Security unit.

In addition, the worm is capable of spreading itself through open network shares.

The original Sobig worm appeared in January, and since that time, four variants have popped up, each containing a slight tweak to the original code. Most of the other variants have been minor nuisances, but Sobig.E seems to be following in the footsteps of the original version, which spread very quickly and widely.