A computer virus that traversed the globe last week struck again in a slightly mutated form over the weekend and continued to spread aggressively through e-mail systems worldwide on Monday.
Both viruses try to trick recipients into opening their infectious attachments by pretending to originate from Microsoft Corp.
This week’s virus, dubbed ”Sobig.C” by antivirus companies, forges its sender address, sometimes appearing to be from Bill Gates by using the address [email protected] and other times grabbing addresses from a victim’s address book.
”Sobig.B” — the other virus — faked, or ”spoofed,” the sender address to read [email protected].
As of mid afternoon on Monday, Sobig.C had reached computers in 96 countries, according to e-mail filtering services company MessageLabs Inc. In all, the firm has stopped 24 888 copies of the virus from reaching its corporate clients, with Monday’s take so far reaching about 13 000. Chief Technology Officer Mark Sunner
said the outbreak, which is moving across the globe with the sun, looks like it will be about the size of Sobig.B. MessageLabs has blocked 404 836 copies of that earlier version since it emerged May 17.
”The next 24 to 48 hours will give us a better sense if this is going to keep growing or trail off,” said Steve Trilling, director of research at Symantec Corp., who also predicted the two outbreaks would be similar in size.
The company, which makes Norton antivirus software, had received 539 copies of the virus from infected customers, including copies from 12 corporate customers, by late on Monday morning. That was a similar number of consumer submissions, but half the number of corporations, at the same point in the Sobig.B outbreak.
Symantec ranks the risk level of the virus a ”three” on a scale of one to five, or medium-to-high. MessageLabs is calling it high risk.
The two viruses are similar to the ”Sobig.A” virus that first appeared January 9 and, according to MessageLabs, is the 7th most prevalent virus of all time at 625 595 copies blocked.
Virus writers often unleash multiple versions of the same virus, tweaking it over time in an effort to evade antivirus-software companies’ scanners.
Sobig.C comes in attachments with names very similar or identical to names used by Sobig.B, such as ”Approved,” ”Re: Movie” and ”Re: Screensaver.”
Both viruses, if activated, mail themselves out to addresses found on a victim’s computer, but only up to a certain date.
Sobig.C will stop spreading on June 8. Sobig.B stopped spreading on May 31. Neither virus does anything sinister to computers they infect.
The biggest difference in the two viruses — and the main reason most antivirus scanners weren’t immediately stopping it — was a small change in the message’s basic encryption technology, Sunner said.
Sobig.C was ”packed” in an altered version of UPX, which is a standard format for packaging programs. The changes meant some desktop antivirus scanners couldn’t read the e-mails’ contents to see the virus inside.
MessageLabs’ scanner successfully stopped the virus from the start because it looks for viruses in messages with every possible UPX format, Sunner said. – Sapa-AP