SECURITY
Security firm links virus with spammers
26-06-2003
by Andrew McLindon
A new variant of the Sobig worm, which may allow spammers to use infected PCs to send bulk e-mail, has begun to spread.
The Sobig.E worm was found on 25 June and is spreading in the "wild." E-mail security company MessageLabs said that so far it has been stopped over 22,000 times in over 70 countries with the worm spreading most in the US.
According to anti-virus firm F-secure, the worm usually arrives in e-mails with body text "Please see the attached zip file for details" and attachment "your_details.zip". The e-mails appear to come from support@yahoo.com, but since the worm spoofs this e-mail field it could come from any e-mail address.
Although several anti-virus companies such as Symantec said Sobig.E does not have a malicious payload, Message Labs warned that it could expose infected computers' e-mail systems to spammers.
"This is almost certainly being precipitated by a spammer that is trying to create more open relays to send spam," Mark Summer, chief technology officer of Message Labs, told Cnet News.com.
An open relay is a computer that accepts e-mail bound for other destinations and then resends the message anonymously. By using an open relay, spammers can disguise the location from which they are sending spam.
There is no proof that Sobig.E has been developed by a spammer, but the fact that the worm has an expiration date (when it will stop spreading) of 14 July 2003 suggests that whoever created it did not want it to turn into a worm capable of creating havoc, said Summer.
For its part, Symantec said the damage created by the worm would be confined to "large scale e-mailing." This type of payload means that the infecting e-mail sends itself on to a certain number of e-mail addresses within an infected PC's e-mail address book.
According to Dermot Williams, managing director of Irish IT security firm Systemhouse Technologies, what is different about Sobig.E is that the executable file is hidden within a Zip file, which may make it easier for the worm to slip through company's virus protection systems.
"A lot of viruses and worms, including the original Sobig worm, have executable file extensions, which means they can be blocked as long as the right settings are in place. However, the Sobig.E executable file is hidden in a Zip file and some firm's anti-virus systems may allow Zip files through. In that instance, it comes down to the person receiving the Zip file not opening it in order to avoid infection," said Williams.
Symantec said that due to an increased rate of submissions, it has upgraded the threat from Sobig.E from a category two to a category three (five is the highest), while F-Secure gave it a level two threat ("a new virus causing large infections") with level one being reserved for the likes of the Nimda and Loveletter.
Caped Koala Studios has built a virtual world for kids, combining education and social networking 