Sobig Worm Strikes AgainSobig Worm Strikes Again

Yet another variant of the Sobig worm has been detected by security firms, including MessageLabs, Network Associates, and Symantec. And although the new worm is spreading slowly at the moment, if past trends prove true, users should be on the alert.

Sobig.d, which was first spotted Wednesday, is the latest in a line of fast-spreading worms which include self-timed deactivation code that ultimately renders them impotent. Sobig.d will not propagate after July 1. The previous version, Sobig.c, turned itself off on June 8.

Like its earlier incarnations, Sobig spreads via a network or through E-mail: the latter spoofs a sending address of '[email protected]' with a variety of subject headings, including 'Re: Documents' and 'Application Ref: 456003.' The worm itself is packaged as an attachment with either a .pif or .scr extension. Infection occurs when the attachment is launched.

Most antivirus vendors have ranked Sobig.d as a relatively low-level threat for the moment. Symantec, for instance, rates it a '2' on its 1-5 scale; both Network Associates and MessageLabs call it a 'low' risk. According to MessageLabs, the worm is most prominent in the United States, which accounts for more than 80% of all discovered examples.

As is the norm, security firms recommended that users update their anti-virus signature files immediately.