Sophos has today reported that W32/Sobig-C, the worm posing as an email from Microsoft's Bill Gates that has been spreading widely across the internet, has been programmed to stop spreading from Sunday, 8 June onwards.
This news comes just two weeks after its predecessor, W32/Sobig-B, appeared suddenly and spread rapidly before falling dormant on 31 May. Despite being active for only a fortnight last month, Sobig-B (also known as Palyh-A) topped Sophos's monthly chart of most frequently occurring viruses. Sobig-B is widely believed to have been written by the same person as Sobig-C.
"Putting a 'dead-date' on the two viruses suggests that the Sobig author is effectively test-driving his creations to see which tricks work best from the technical and psychological point of view," said Graham Cluley, senior technology consultant at Sophos. "By releasing Sobig variants on different days of the week, and using slightly different subject lines and filenames, the virus author may be trying to find the conditions under which his viruses can spread most quickly. He may also be refining his techniques for use in future malicious creations."
"Sobig-C first appeared on the day its predecessor fell dormant. We wouldn't be surprised if a new virus in the form of Sobig-D were released this weekend, to coincide with the end of Sobig-C," continued Graham Cluley.
Sophos advises that companies can protect against future email-aware viruses by blocking all executable code at their email gateway. It is rarely necessary to allow users to receive programs via email from the outside world. There is so little to lose, and so much to gain, simply by blocking all emailed programs, regardless of whether they contain viruses or not. Users of Sophos MailMonitor for SMTP can achieve this through its threat reduction capability.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.