The SoBig virus/worm is back and infecting thousands of computers again, proving that the modern sedentary lifestyle is removing mankind's evolutionary advantage of learning from mistakes.
This time it is version E - SoBig.E - that is causing all the trouble. It comes from a range of email addresses with a range of subject lines, although most frequently from [email protected] or some combination of this, and Re: movie or Re: application. The attached file in each case will end in .pif or .scr.
Get infected, and the worm trawls through documents on your computer, pulling out email addresses and then forwards itself to them, hoping they are equally as gullible as you.
What is interesting however is that the virus does tend to be following the pattern we pointed out with SoBig.C - namely that each time another feature is added and the worm becomes more sophisticated. And each time it comes with an expiry date, pointing to the fact that the author is trying to work out how each individual virus behaves by removing any previous versions from the equation.
The big question though is: what happened to SoBig.D? Well, it did appear but never really took off. It was supposed to have arrived on 8 June - when SoBig.C expired - but didn't pop up until 18 June. Even then it never spread that much. Now, since, bizarrely, the spreading of the virus appears to have nothing to do with the actual subject line (every variation has featured [email protected] or [email protected]), we can only presume that the slow spread of this one was due to it being stopped/blocked by companies' systems.
So the SoBig.D virus was a failure then? It wasn't different enough to bypass the anti-virus signatures built up from the previous three viruses. The AV vendors had done their job. It could also be that SoBig.D was stopped because sysadmins were ready for it.
Possibly. But just as possible is that SoBig.D was testing another element in the search for a supervirus to be unleashed in the future. You could for example, by monitoring its take-up, learn quite a lot about companies' anti-virus measures.
However, if you want to get really worried, consider this: SoBig.D had a built-in expiry date of 2 July. It arrived on 18 June. The last reported viewing of it was 26 June. Strange that it dropped dead when it was due to keep spreading until 2 July.
When was the first reported arrival of SoBig.E? 25 June (with an expiry date of 14 July). Is this just a tremendous coincidence or are we looking at the possibility that SoBig.D's new feature was that it allowed the author to turn it off by releasing the next version of a virus? Now that would be a neat trick.
There's some clever, methodical thinking going on behind this SoBig virus and we haven't heard the last of it. Incidentally, the new improvement in SoBig.E is in the email forwarding programme it has attached - it allows for multiple sends and so rapidly increases the speed by which it can spread.