SoBig F to try again Sunday

Antivirus companies are warning that the SoBig F worm carries a payload that could give hackers control of thousands of computers over the weekend.

The virus contains instructions to try and download additional malware between 2000 and 2300 GMT Friday and again on Sunday.

It is not known what package may be downloaded, but SoBig E attempted to download a Trojan allowing remote control of infected PCs by the hacker.

"We can't predict what the program will do. The virus writer could change his mind about what to send at the last minute," said Graham Cluley, senior analyst at antivirus specialist Sophos.

"It could display a smiley face [on the PC] or it could start destroying files. There's no way to tell.

"We recommend blocking the UDP port 8998 on a firewall, which is the port the virus will try and use."

SoBig F is still spreading but not as quickly as BugBear B or Klez H.

Its spread has been so rapid because it was spammed to millions of email addresses, and subsequently spammed by infecting computers seeking to spread the infection further.

The virus also spoofs the headers on emails that it sends out, making it harder to track down the sources.

Paul Wood, chief information analyst at email security specialists MessageLabs, said: "We've blocked well over two million infections in the past 48 hours, and this is likely to hit three million by the end of the week and more over the weekend.

"The fact that antivirus vendors didn't have signatures available for 12 hours after the first sighting means it had a real headstart."

This is the sixth variant on the SoBig worm, which first surfaced in January of this year.