This week’s computer nuisance, the Sobig virus, continued its march around the Internet Wednesday, infecting thousands of computers and hundreds of corporations. Even innocent bystanders were also hit by Sobig’s fallout — on Wednesday, many inboxes were overloaded with stray e-mails created by the virus. The outbreak comes on the heels of last week’s MSBlaster worm, which may have infected over 1 millions computers.
Sobig and its varients have been taunting computer users all year, starting with the original virus released in January. The sixth variant was released early Tuesday, kick-started by a mass spam mailing and quickly rising to the top of many virus threat lists.
By Wednesday morning, Network Associates Inc. raised its risk assessment on the virus to “high,” because it had infected so many home users. Antivirus firm MessageLabs had trapped nearly 500,000 copies of the worm headed for its customers. And Symantec Corp. said over 2,000 customers had submitted copies of the worm, including 146 different corporations.
The worm uses random subject lines and attachment names, making it hard to spot.
But even those who weren’t directly infected with the virus were struggling with it. When it replicates, the virus “spoofs” the sending e-mail address. That means the “From:” line is faked, selected from a list of e-mail addresses culled off the Internet. Users unlucky enough to be used in Sobig’s “From” line can get hundreds of Sobig-related complaints, including automated bounce messages saying the virus didn’t reach its recipient, or irate messages from recipients who think they’ve been sent a computer virus.
“We’re getting reports of so many bounced messages,” Schmugar said. “Unfortunately, there’s not a whole lot you can do.” In some cases, inbox filters can reduce the nuisance, but can’t really eliminate it, he said.
The appearance of another Sobig variation was no surprise. Earlier versions of Sobig included an expiration date. The prior version expired last month; Sobig.F, as the new variation is called, will expire Sept. 10.
Antivirus experts think the author may be using the worm to construct an elaborate network of hijacked computers that can be used to send spam.
Welchia hits networks
Meanwhile, a virus similar to last week’s MSBlaster crippled some computer networks, including that of Air Canada and the $6.9 billion U.S. Navy-Marine Corps intranet.
The Welchia worm struck Air Canada on Tuesday morning and crippled its check-in counters and call centers, the company said. The airline was forced to manually check in passengers, causing delays at airports.
Unclassified computers on the Navy-Marine intranet were also infected by the worm, said a spokesman for Electronic Data Systems Corp., which manages the system. The worm was expected to be removed by Wednesday night.
Welchia exploits the same vulnerability used by MSBlaster to attack millions of computers last week. Some have called Welchia a “good Samaritan” worm because it installs the patch needed to disable MSBlaster; but security experts are wary of what else it might do. Vincent Weafer, spokesman for Symantec Corp. said his company raised Welchia’s risk rating to a 4 on a scale of 1 to 5 — mostly based on the extra network traffic that has been generated as the worm attempts to spread itself inside a company. Several other big-name firms have been hit, he said.
The Washington Post and Reuters contributed to this story.