SoBig spam hits millions of mailboxes

A new variant of the SoBig worm has been filling inboxes worldwide, after it was mass-mailed to millions of email addresses.

The worm arrives as a .Pif (Program Information file) attachment in emails with the headers:

• Re: That movie
• Re: Wicked screensaver
• Re: Your application
• Re: Approved
• Re: Re: My details
• Re: Details
• Your details
• Thank you!

The worm is 72,000 bytes. Once activated it copies itself to Windows as 'winppr32.exe' and edits the registry to ensure that it starts whenever the computer boots.

All email addresses on the PC are collected and are then sent copies of the worm using the worm's own SMTP engine.

Email headers are spoofed to hide the location of infected machines, and it can also be spread using network shares.

"SoBig.F seems to be extremely prevalent," said Graham Cluley, senior analyst at antivirus company Sophos.

"We suspect the author must have spammed it to millions of people, which gave it a huge head start in infections.

"As with all the other SoBig variants, if IT managers would just block .Pif files at the firewall they'd have very few problems."

This is the sixth variant on the SoBig worm, which first surfaced in January of this year.

All operating systems from Windows 95 to XP are affected, although the worm will automatically deactivate on 10 September.