SoBig shuts down ... for the moment

SoBig.F is due to deactivate today, but experts are already waiting for the next variant of the virus to start spreading.

There have been six variants on the SoBig virus since it was first detected in January. Each successive version has displayed improved code and more adept social engineering, and future versions are expected to be developed along similar lines.

"To be honest I'm surprised we haven't seen one yet," said Professor Neil Barrett, technical director at security consultant IRM.

And Graham Cluley, senior analyst at antivirus specialist Sophos said: "Previous versions of the virus took two or three weeks to surface. We?re keeping an eye out for new versions and advising all IT managers to do everything to protect their systems by blocking .PIF attachments."

The ease in creating variants has led some to question the value of identity-based antivirus protection and move to alternative methods.

Heuristic analysis, which identifies suspicious activity rather than actual malware, is looking the most promising alternative.

Once activated, SoBig copies itself to Windows and edits the registry to ensure that it starts whenever the computer boots. All Windows operating systems from 95 to XP are affected.

All email addresses on the PC are collected and are then sent copies of the worm using the worm's own SMTP engine.

Email headers are spoofed to hide the location of infected machines, and the virus can also be spread using network shares.