Welcome to the summer of the worm.
Hard on the heels of the , yet another version of the resilient and ever-popular SoBig virus began spreading rapidly on the Internet Tuesday morning. Known as SoBig.F, the new variant behaves much like its older siblings, infecting Windows machines via e-mail and sending out dozens of copies of itself.
The variant began spreading early Tuesday Eastern time, and by 9 a.m. Tuesday, MessageLabs Inc. had stopped more than 10,000 copies. The virus size is approximately 73 KB, and the attachment that actually contains the malicious code can carry any one of a number of names, according to iDefense Inc., a security company based in Reston, Va. Among the file names seen so far are:
application.pif
document_all.pif
details.pif
document_9446.pif
movie0045.pif
thank_you.pif
your_details.pif
your_document.pif
wicked_scr.scr
The subject line of the e-mail message that carries the attachment is also randomized, and many of the subjects are similar to previous SoBig variants. They include:
Re: Details
Re: Approved
Re: Re: My details
Re: That movie
Re: Thank you!
Re: Your application
Re: Wicked screensaver
Thank you!
Your details
SoBig.F installs a copy of itself in the Windows registry, in a file named “winppr32.exe.” MessageLabs lists the worm as originating in the Netherlands, and its statistics show that SoBig.F has spread mainly in that country and Norway at this point. However, that is likely to change as workers in North America begin checking their e-mail Tuesday.
Click here
for tips on battling SoBig.
SoBig.Fs appearance comes just eight days after the initial onset of the Blaster worm, which has infected several hundred thousand Windows PCs.
