Anti-virus security firms on Monday increased the alert level for the latest variant of the SoBig e-mail worm after it spread rapidly over the weekend, targeting machines in about 84 countries.
The mass-mailing virus, which masquerades as an e-mail from firstname.lastname@example.org, is similar to former variants of the SoBig worm family. But a new network worm component has been added to SoBig.C to speed up the spread of the virus over open shared networks and preconfigured default startup locations on networked computers.
Security consultants iDefense has validated more than 30,000 interceptions of the worm, which has been programmed to stop spreading on June 8. However, the company warned that SoBig.C is capable to sending infected e-mails from machines because of incorrectly configured clock settings.
To send infected messages, F-Secure warned that SoBig.C makes a direct connection to the default SMTP server and steals e-mail addresses from .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directories on all available local drives.
"In addition to the e-mail spreading, SoBig.C will search for Windows machines within the infected Local Area Network and will try to copy itself to their Startup folder. This will fail unless users are sharing their Windows directories with write access a thing that should never be done," the company said.
F-Secure product manager Mikael Albrecht said an interesting pattern was detected with the latest variant of the SoBig worm. SoBig.B, which was detected in the wild sparingly just weeks ago, was programmed to die on May 31. That's the same day that SoBig.C was found.
"SoBig.C is programmed to die on June 8th so time will tell if we can expect SoBig.D to make its first appearance after that", Albrecht noted.
has also upgraded the SoBig.C threat from a
Category 2 to a Category 3 while McAfee now rates it a "medium risk"