World wakes up to another virus

Be careful of clicking on suspicious e-mails

A deluge of Windows viruses is causing huge problems for computer users around the world.

As consumers and companies were clearing up after the MSBlast and the Welchi worms has come a fast-spreading variant of the Sobig virus.

Sobig F and Welchi are putting a huge amount of strain on network traffic and are slowing corporate systems, security experts said.

Anti-virus firm MessageLabs said it had stopped nearly 307,000 copies of the virus since Tuesday and the BBC has received thousands of infected e-mails.

Confidence trick

The first version of Sobig appeared in June of this year but the newest F variant seems to be the most successful so far.

The e-mail traffic generated by Sobig F is threatening to swamp some corporate networks that are already struggling to cope with the Welchi worm that scans for fresh hosts many times faster than last weeks MSBlast virus.

Like the earlier versions of Sobig, the virus spreads by e-mail and by exploiting unsecured network links between Windows PCs.

All computer users should exercise caution when deciding what is safe to run on their computers Graham Cluley, Sophos

When it spreads via e-mail, the virus fakes an e-mail address to hide its origins and regularly changes its form and the subject lines of messages it creates to make it harder to spot.

When it infects machines, it harvests e-mail addresses from Outlook address books and net page memory stores.

The suffix of the attachment bearing the virus also changes regularly but most often the malicious program masquerades as a screensaver (.scr) or a Windows program information file (.pif).

The filename of the attached file that actually contains the virus code also changes regularly to make it harder to spot.

"The author of the Sobig worms has pulled this particular confidence trick several times before," said Graham Cluley, senior technology consultant at anti-virus firm Sophos.

"Releasing Sobig variants on different days of the week, and using slightly different subject lines and filenames, suggests that the worm's author may be trying to find the 'perfect' conditions under which his viruses can spread most quickly," he said.

Fast spreading

Sobig F has now been seen in 134 countries and currently seems to be most prevalent in the US. MessageLabs said Sobig F was "spreading vigorously".

ATTACHMENT NAMES INCLUDE your_document.pif details.pif your_details.pif thank_you.pif movie0045.pif document_Fall.pif application.pif document_9446.pif

Anti-virus firms urged users to update security software to block the latest variant.

E-mail users are being warned to be wary of messages bearing subject lines such as: Re: details, Re: approved, Re: Thank You, Re: That movie, Re; Wicked Screensaver or Your Details.

"All computer users should exercise caution when deciding what is safe to run on their computers," said Mr Cluley.

The Sobig F virus has a built-in timer that will stop it working on 10 September 2003.