New worm variant disguised as e-mail from Gates

A potent new variety of the Sobig e-mail virus is spreading on the Internet, according to warnings from a number of leading antivirus companies.

The new virus, known as Sobig.C, was first detected on Saturday and is a variant of the original Sobig virus, which appeared in January 2003, according to a statement by Helsinki, Finland, security company F-Secure.

Like the original Sobig virus, Sobig.C is a mass-mailing worm that spreads copies of itself through e-mail messages with attached files that contain the virus code.

Sobig.C arrives in e-mail messages that use a variety of subject lines such as "Re: Screensaver," "Re: Movie" and "Re: Your Application." The names of the attachment containing the virus also vary and include "screensaver.scr," "approved.pif" and "movie.pif," F-Secure said.

Once opened, the attachment copies the virus to the Windows folder on the infected machine and alters the machine's Microsoft Windows registry to make sure that the virus is started along with the operating system.

The worm scans infected machines for e-mail addresses stored in a variety of files including the Windows address book and on saved Web pages. Sobig.C saves the addresses it finds in a separate file, then targets those addresses with e-mail messages containing the virus.

Like its predecessor, Sobig.C is also capable of detecting and copying itself to vulnerable shared folders on a local area network, according to an alert by antivirus company Sophos.

However, unlike the earlier worm, Sobig.C is capable of faking the sender's address as well, inserting e-mail addresses it finds on the host machine in the "From" line of messages containing the virus.

Messages containing the original Sobig worm used only one address on the From line: "big@boss.com," according to an alert posted on the Web site of McAfee Security, a business unit of Network Associates Inc.

That means messages containing the Sobig.C virus might appear to come from people the targeted user knows. In addition, receiving an infected e-mail from an address doesn't automatically mean that the sender's machine has been infected, F-Secure said.

Among the e-mail addresses spoofed by Sobig.C is "bill@microsoft.com," the address for Microsoft chairman and chief software architect Bill Gates.

The new virus is just the latest Sobig variant to spread, in part, by using the name of the Redmond, Wash., company.

In May, another variant, Sobig.B, also known as "Palyh," infected machines worldwide by disguising itself as a message from Microsoft's support organization.

Most antivirus companies provided updated virus definitions to detect Sobig.C on Sunday and encouraged their customers to update their antivirus software as soon as possible.

Instructions for detecting the new virus were also posted on leading antivirus sites, as were tools for removing Sobig.C from infected machines.