Hard on the heels of the Blaster worm outbreak , yet another version of the resilient and ever-popular SoBig virus began spreading rapidly on the Internet Tuesday morning. Known as SoBig.F, the new variant behaves much like its older siblings, infecting Windows machines via e-mail and sending out dozens of copies of itself.

The variant began spreading early Tuesday Eastern time, and by 9 a.m. Tuesday, MessageLabs Inc. had stopped more than 10,000 copies. The virus size is approximately 73 KB, and the attachment that actually contains the malicious code can carry any one of a number of names, according to iDefense Inc., a security company based in Reston, Va. Among the file names seen so far are:

» application.pif
» document_all.pif
» details.pif
» document_9446.pif
» movie0045.pif
» thank_you.pif
» your_details.pif
» your_document.pif
» wicked_scr.scr

The subject line of the e-mail message that carries the attachment is also randomized, and many of the subjects are similar to previous SoBig variants. They include:

» » Re: Details
» Re: Approved
» Re: Re: My details
» Re: That movie
» Re: Thank you!
» Re: Your application
» Re: Wicked screensaver
» Thank you!
» Your details

SoBig.F installs a copy of itself in the Windows registry, in a file named “winppr32.exe.” MessageLabs lists the worm as originating in the Netherlands, and its statistics show that SoBig.F has spread mainly in that country and Norway at this point. However, that is likely to change as workers in North America begin checking their e-mail Tuesday.

Some facts:

» “This is local clogging as opposed to worldwide Internet clogging,” Kuo said. “There are many areas of local pain.”
» The MSBlast variant, Nachia, infects computers using the same widespread vulnerability in Microsoft Windows that previous versions of the worm exploited. The program then downloads a patch to protect systems against future infections of the MSBlast worm.
» While the intentions of the unknown worm writer seem to have been good, its aggressive spread has clogged many networks.
» “It’s faster,” Kuo said. Previous versions of MSBlast tried to spread to 20 different network addresses at a time but had to wait for each attempt to fail if no computer was at that address. The Nachia variant tries to spread to 300 different address at a time and doesn’t wait, letting it spread very fast.
» The latest version of the SoBig mass-mailing computer virus also caused headaches for network administrators. E-mail service provider MessageLabs stopped more than 100,000 messages carrying the latest virus in the first few hours of the attack.

Source From ieXbeta