SoBig Virus Breaks Speed Records

MessageLabs said it had intercepted more than 1.5 million copies of the "SoBig.F" variant, including more than a million in a single day.

So far, SoBig.

The virus that has been rampaging through corporate networks and bringing mail servers to their figurative knees all week is now officially the most prolific piece of malware ever, at least by one measure. MessageLabs Inc., an e-mail security company based in New York, said it saw more copies of SoBig.F in its first 24 hours of life than it has of any other virus in a comparable period. Ever.

Thats no mean feat, considering some of the digital refuse that has hit the Internet in the past couple of years. Viruses such as Klez, Melissa and the Love Bug all caused their fair share of damage and each was at one time or another considered to be as bad as it gets. But this most recent incarnation of SoBig has taken the title, at least for now.


MessageLabs has stopped more than 1.5 million copies of SoBig.F, including more than a million in a single day earlier this week. At the peak of the worms activity on Wednesday, one in 17 pieces of e-mail was infected. For reference, Klez, which is still one of the most prevalent viruses on the Internet, reached a peak infection rate of one in every 138 e-mails.

"[Tuesday] marked an unprecedented new level in virus propagation and demonstrated the growing ability of virus writers to disrupt business around the globe," said Mark Sunner, chief technology officer at MessageLabs. "The SoBig virus writers use of an inbuilt expiry date indicates that he is committed to inventing new and improved versions. Each variant released so far has exceeded the previous one in growth and impact during the critical initial window of vulnerability."

Despite the huge numbers associated with SoBig.F, its difficult to estimate the number of infected machines. Unlike many of its predecessors, this variant has a multithreaded SMTP engine, which enables it to send out multiple copies of itself at one time rather than having to send single copies in succession. The worm also is set to send out a timed mass mailing every 10 minutes. These two attributes have combined to produce the massive amounts of SoBig-related spam that have been flooding inboxes this week.

Some users have reported getting several hundred SoBig messages in a single hour. Virus experts also suspect that the worm may be using a proxy or Trojan previously installed on compromised machines to send commercial spam.