Sophos has received reports of thousands of instances of the Sobig-F worm (W32/Sobig-F) which can spread via email or network shares. For the worm to spread this fast, Sophos believes that the virus writer may have launched it using spamming technology. When arriving via email the worm can pose as an attached PIF or SCR file. Launching the attached file infects the computer.

"We have seen such a large influx of reports so quickly, it seems likely that the virus author gave his creation a kickstart using techniques usually employed by spammers. The result is that hundreds of thousands of copies of the Sobig-F worm are shunting around the internet, and some companies are finding their email systems are grinding to a halt," said Graham Cluley, senior technology consultant, Sophos Anti-Virus. "Many users know to be cautious about running unsolicited EXE files, but they should be equally wary about running PIF files or screensavers. All computer users should exercise caution when deciding what is safe to run on their computers."

Subject lines used are taken from a list, including "Re: That movie", "Re: Wicked screensaver", "Re: Approved" and "Your details". Like other variants of Sobig, the worm is programmed to stop working on a particular date; in this case, 10 September, 2003.

"Putting a 'dead-date' on his viruses suggests that the Sobig author is effectively test-driving his creations to see which tricks work best from the technical and psychological point of view," continued Cluley. "Releasing Sobig variants on different days of the week, and using slightly different subject lines and filenames, suggests that the worm's author may be trying to find the 'perfect' conditions under which his viruses can spread most quickly."

Sophos has posted a detailed description of W32/Sobig-F worm, as well as a standalone disinfection tool on its website at:
http://www.sophos.com/virusinfo/analyses/w32sobigf.html