SoBig.F is a relaunched e-mail worm that has taken e-mail systems by storm in the last ten days, spreading to more than 134 countries, and effecting tens of millions of users. It is derived from the SoBig family, first detected in 2002 (SoBig.A). The original version was thought to be designed as device for the distribution of spam mail for either marketing or dubious purposes by bypassing filtering and creating a relay for unwanted e-mail-born advertising. SoBig.F was launched first in 2003 causing great disruption, though not on the scale currently being experienced. It’s threat level was even then classified by Microsoft as severe – it specifically targets Windows operating systems.
You should immediately delete SoBig.F or anything resembling it (see below). It is a worm – it replicates itself, though it is also a trojan that allows for possible executable actions on your computer by third parties. The latest outbreak of this infection is known to have infected millions of computers; the British security firm MessageLabs alone have reported intercepting over one million copies of the virus in just twenty-four hours. This is more than any other attack on record. Graham Cluley of the I.T firm Sophos stated, “ This is the worst barrage of viruses in the history of computing… SoBig.F is the fastest-spreading virus of all time”. Companies have received millions of copies that are drastically slowing their systems. Some home users have received up to 6 000 copies each, bringing their systems to a standstill. Since the launch of the virus, to last Monday (04th January), one in seventeen of all e-mails sent was infected (this can be compared to the previous record attack – named LoveBug -which infected one in twenty eight). Below is an overview of how the virus works and why you should wipe SoBig.F from your system and stop it from returning.
How SoBig.F Operates
The SoBig.F family was originally created as a back door for marketing by parties who would benefit from monetizing through the distribution of spam e-mails. Once opened, it will execute as a worm – by self-replicating, in this case by sending identical e-mails automatically to all e-mail contacts in the account’s list and file extensions, spreading itself exponentially. As it is also a trojan, on opening it can embed in the host system and pave the way for remote access – this is why it is important to remove SoBig.F e-mails completely and without opening. Note that the virus can also be downloaded in bundles of freeware that are not well scrutinized before installation!!!
E-mail headers currently associated with SoBig.F are:
* Re: Approved
* Re: Your application
* Details *
Wicked screensaver
* Re: Re: My details
* Your details
* Re: Thank you!
* Thank you!
* Re: That movie
When SoBig.F is opened, it searches for all open network routes and embeds itself into C:, D and E drives and also the start-up folder (for this reason, all user accounts will become infected on start-up). The virus will disguise itself and its associated extensions as system files to avoid anti-virus software.
Threats From SoBig.F
The host system will slow due to unsolicited software and files designed to consume system resources. These files can be dangerous as can registry entries the virus makes. Apart from the capability to introduce further malware, it will increasingly corrupt your computer’s functions and has the ability to change start-up settings. And most threatening of all, it can leave you susceptible to third party control and data access: dispose of SoBig.F as early as possible.
Removing SoBig.F and Staying Safe
Uninstalling the virus can be carried out manually using Windows Task Manager and Registry Editor. This takes time and patience, though it can be carried out following the instructions. If you do not have a competent anti-virus program, then this may be the only way (without a disk reformat and reinstalling the whole system), as the infection can mask itself to some A/V software. Always back-up your files before manual or auto operations. Remember about the e-mails; don’t open any unless they have addresses known to you, and stay especially clear of any with attachments. Practice safe downloading using Advanced/Custom install to see what your getting. Eradicate SoBig.F and make get some big software to help prevent any future infections.
Afterthought…
In 2003, the first attack by SoBig.F was halted by deactivation (this virus has a predetermined ‘life-span’). The same year, Microsoft offered an Anti-Virus Reward Program bounty of $250 000 for information leading to the author, who was not found (though there are noted similarities with a Russian programmer’s work). Now, with this re-launch it could be that the author needs dollars and is testing Microsoft again for a bigger price… or perhaps this hacker is not SoBig and smart – and someone has stolen his program….
.
