2003: Sobig.F: The Fastest-Spreading Email Virus in History
On August 19, 2003, a new email worm appeared on the internet. Within 24 hours, it had generated an estimated one million copies of itself. Within a week, it accounted for roughly one in every seventeen emails sent anywhere on earth. At its absolute peak, email systems worldwide were processing more copies of the Sobig.F worm than legitimate human messages.
Sobig.F wasn’t the first email virus — the ILOVEYOU worm had shocked the world three years earlier. But Sobig.F was different. It was faster, more efficient, and engineered with a sophistication that suggested its creator understood email infrastructure at a professional level. It was also, in a grim way, the virus that proved email’s malware problem wasn’t a one-time event but a permanent condition.
The Sixth Try
Sobig.F wasn’t an isolated creation. It was the sixth variant in a series — Sobig.A through Sobig.F — each released over the course of 2003, each more refined than its predecessor. The “F” variant was the masterwork, incorporating lessons learned from the previous five versions about what worked and what didn’t.
This iterative approach was unusual for malware at the time. Most viruses were one-shot creations — a hacker wrote a worm, released it, and moved on. Sobig’s creator was running what amounted to a development cycle, testing infection techniques, improving propagation methods, and refining evasion tactics with each release. It was malware engineering.
Each previous variant had been moderately successful but had limitations that the creator systematically addressed. By the time Sobig.F launched, the propagation engine had been optimized to a frightening degree.
How It Spread
Sobig.F arrived as an email with mundane, businesslike subject lines: “Re: Details,” “Re: Approved,” “Re: Your application,” “Re: Wicked screensaver,” “Re: Thank you!” The “Re:” prefix was deliberate — it made the email look like a reply to a previous conversation, increasing the likelihood that recipients would open it without suspicion.
The attachment had innocent-seeming names like “details.pif,” “your_document.pif,” or “application.pif.” The .pif extension (Program Information File) was executable on Windows but unfamiliar enough that many users didn’t recognize it as potentially dangerous.
When executed, Sobig.F performed a systematic harvest of email addresses from every file on the infected computer — documents, web pages, cached files, address books. It then sent copies of itself to those addresses using its own built-in SMTP engine, bypassing the victim’s email client entirely. This meant the infected computer became an independent email server, sending spam at high speed without the user’s knowledge.
The worm also spread through shared network drives. In corporate environments, where file shares were common, Sobig.F could propagate across an entire office without any email interaction at all — one infected machine could deposit copies of itself on every accessible network share.
The Scale
The numbers were staggering. On August 19, Sobig.F generated approximately one million copies within the first 24 hours. By August 22, major email service providers reported that Sobig.F traffic accounted for the majority of their email volume. MessageLabs, an email security company, reported filtering one copy of Sobig.F for every 17 legitimate emails processed — and they were catching millions per day.
The volume overwhelmed email infrastructure worldwide. Mail servers stalled under the load. Internet backbone providers reported measurable increases in overall traffic. Organizations that had weathered previous worms found their email systems buckling under the sheer quantity of infected messages.
Some estimates placed the total number of Sobig.F-infected messages in the billions over the worm’s active lifetime. The economic cost was estimated at $37 billion, including cleanup costs, lost productivity, and infrastructure expenses — though such figures are inherently difficult to calculate precisely.
The Self-Destruct Date
Sobig.F had an unusual feature: a built-in expiration date. The worm was programmed to deactivate on September 10, 2003 — just three weeks after release. After that date, the worm would stop propagating, and infected machines would no longer send copies.
This self-destruct mechanism suggested premeditation. The creator appeared to be planning the next variant (a hypothetical Sobig.G), intending each version to run for a limited period before being replaced by an improved successor. The expiration date also reduced the window for investigators to trace the worm’s infrastructure back to its source.
Sobig.G never appeared. Whether the creator was deterred by the intense investigation, satisfied with the results of the F variant, or simply moved on to other activities remains unknown.
The Investigation
The FBI launched a major investigation into Sobig.F, coordinating with international law enforcement and private security companies. The probe revealed that the worm was connected to a sophisticated spam operation. Sobig.F wasn’t just spreading for the sake of spreading — it was installing proxy servers on infected machines, which could later be used to relay spam emails.
This was a critical insight. Sobig.F wasn’t vandalism. It was infrastructure construction. The creator was building a network of thousands of compromised computers — a botnet, though the term wasn’t yet widely used — that could be used for commercial spam operations. The worm was a tool for building an email-sending army.
Security researchers traced some of Sobig.F’s command-and-control infrastructure to servers in Russia and the United States. Several servers were seized, but the creator’s identity was never publicly confirmed. No arrest was ever announced.
The Aftermath
Sobig.F accelerated changes in email security that were already underway after the ILOVEYOU worm and other incidents. ISPs and email providers implemented more aggressive filtering of executable attachments. Corporate IT departments deployed gateway email scanning at unprecedented scale. The market for email security products grew substantially.
More importantly, Sobig.F marked the transition of email malware from hobbyist mischief to commercial crime. Earlier worms like ILOVEYOU were created by individuals for notoriety or experimentation. Sobig.F was created to build spam infrastructure for profit. The professionalization of email-based malware had begun, and the era of the amateur virus writer was ending.
The email ecosystem learned a harsh lesson from Sobig.F: email isn’t just a communication channel — it’s an attack surface. And the people exploiting that attack surface were getting smarter, more organized, and more motivated by money than by fame. That lesson remains painfully relevant.
Infographic
Share this visual summary. Right-click to save.
Related Events
Frequently Asked Questions
What was the Sobig.F worm?
Sobig.F was an email worm that appeared on August 19, 2003. It spread through email attachments and network shares, generating an estimated one million copies within its first 24 hours. At its peak, Sobig.F accounted for approximately 1 in every 17 emails sent worldwide.
How did Sobig.F spread?
Sobig.F arrived as an email attachment with subject lines like 'Re: Details,' 'Re: Thank you!,' or 'Re: Approved.' When opened, it harvested email addresses from files on the infected computer and sent copies of itself to those addresses. It also spread through shared network folders in corporate environments.
Who created Sobig.F?
The creator of Sobig.F was never definitively identified or prosecuted. The FBI investigated extensively, and security researchers traced some infrastructure to Russia, but no arrest was made. The worm was part of a series (Sobig.A through Sobig.F), each more sophisticated than the last.