Sobig.F one of fastest-spreading worms

Johannesburg, 21 Aug 2003

Anti-virus experts say the Sobig.F Internet worm, which was unleashed this week, is one of the fastest-spreading they have seen.

The worm appears to be using spamming technology to turn infected PCs into 'spam machines`. Collective statistics show that over a million interceptions of the worm occurred in the first 24 hours after it was discovered.

Local anti-virus experts say they have seen "significant activity" around Sobig.F in the past 24 hours. Symantec has had reports of at least 827 infections - 42 of them in corporate systems - and the company says it expects to see the worm spreading steadily over the next two to three days.

Sobig.F drops software onto infected Windows computers to be used later for distributing Internet spam. It also represents a new trend in converging e-mail spamming and virus software writing, say the experts.

"We believe [Sobig.F] has been written by a spammer or spammers" looking for ways to get past spam filters, says Mikko Hypponen, manager of anti-virus research for Finnish security firm F-Secure. "For once, we have a clear motive for a virus: money." Other experts suggest motives could also be identity theft, banking fraud or simply notoriety.

Security experts say it is difficult to ascertain how many computers have been infected by the Sobig.F worm. Internet service America Online, however, says it blocked about 11.5 million copies of the virus.

The virus arrives in e-mails with subject lines such as "that movie", "details", "approved" or "wicked screensaver". Attachments for Sobig.F known to date include details.pif, thank-you.pif, movie0045.pif, your-details.pif and application.pif. Security experts recommend that all PIF files be blocked at the gateway level to help lower the risk of a Sobig worm outbreak.

Sobig.F hit the computing world as corporations were still recovering from several worms that spread through holes in Microsoft`s Windows operating systems in the past week, including the Blaster worm. Also called LovSan, it has infected and crashed hundreds of thousands of computers since last week. The Welchia or Nachi worm, which surfaced on Monday, infected tens of thousands of PCs, including 72 000 computers used by the US Navy and Marine Corps, and crippled Air Canada`s reservation counters and call centres.

The Sobig.F outbreak is also resulting in e-mail systems being clogged by auto-response mails notifying users they have sent out infected e-mail.

Netxactics, southern African distributor for Sophos Anti-Virus, says it has received numerous reports from customers concerned about auto-responders that are wrongly accusing them of sending an e-mail infected with the Sobig.F worm.

Netxactics CEO Brett Myroff explains that Sobig.F is not the first worm to 'forge` or 'spoof` e-mail addresses, making it appear that the sender is known to the victim. "If the `Sender` name has been forged, the auto-reply can be received by an innocent party, causing undue confusion and stress. A false accusation may even harm your company`s relationship with clients."

Netxactics and Sophos recommend that users do not respond to e-mails from auto-responders accusing them of being infected and spreading the Sobig.F worm. However, users should consider double-checking their computers for the latest viruses just in case they are genuinely infected.

"With the recent spate of outbreaks, it is essential that companies realise the virus threat is real and ensure their anti-virus solutions are updated and have automated updating for anti-virus software," says Myroff.