The appearance of a third version of an apparently harmless computer virus has prompted security experts to upgrade its risk rating to High.
SoBig.C is the same virus as SoBig.B, which spread widely a fortnight ago after people fell for its spoofed email address of "[email protected]" and opened the attachment. SoBig.A first appeared in January and has become one of the biggest ever viruses.
However, what has concerned experts is that the virus has an in-built self-destruction date. SoBig.B stopped functioning on 31 May - the same day that SoBig.C was first noticed. SoBig.C has a self-destruction date of 8 June, leading many to fear we will see a SoBig.D appear on that day.
While all versions of the virus have been harmless so far - simply copying themselves to other email addresses it can find on the infected computer - each step up the alphabet has included potentially worrying extra features.
In its latest incarnation, the virus installs itself in the computer's registry so that even if a computer is rebooted, the virus remains. It also attempts to link to three GeoCities webpages, although these pages are not active. On top of this, it contains its own email programme that allows it to spoof email addresses so people think the virus is coming from a friend (although this feature is not very efficient at the moment).
The fear is that SoBig.D may appear to come from friends and include active links that download software onto the infected computer without the user being aware of it. That software, depending on what it is and how it has been designed, could potentially allow someone thousands of miles away to take control of the computer over the Internet.
The security implications are enormous - a focused search could yield passwords to company networks, enabling a skillful hacker to ruin a company's computer system from within. Often in this situation, however, the software is used to launch so-called denial-of-service attacks on a particular Internet server by making all the infected computers send data packets to one location - this overloads servers and makes them effectively shutdown.
By using three versions of the same virus, however, the writer may have ruined any chances of reeking future havoc. Although employees will be more aware of not opening attachments from a "[email protected]" or "[email protected]", there is no reason why an entirely different email address couldn't be used.
However, experts now know how the SoBig.C virus was rewritten in order to bypass the filters that had been set up to capture SoBig.B. If the same or a similar method is used for a future virus, it will be far easier to nip it in the bud.
The virus itself is easy to spot.
One: a daft subject line "Re: Movie" or "Re: Application" - do you remember sending this person an email entitled "Movie"? No? Funny that.
Two: a short line of uninvolving copy along the lines "please see the attached file". Surely, the email would have your name on it or some personal information or it would be cc'ed to lots of other people.
Three: the virus file ending nearly always in ".pif" - a format you have probably never seen before - and called something bland like "application", "approved", "submited" [sic].
However, if the history of computer viruses has taught us anything it's that people simply do not think (or remember from last time) when they get an email that sounds vaguely interesting.
As to whether SoBig is to become the alphabet killer virus - well, we should be able to hazard a much better guess in five days' time on 8 June.