Five days after its first appearance, the W32/Sobig-A worm continues
to cause problems. Sophos has received an increasing number of
request for information about how to protect against the worm.
The email always has the following address in its 'From' field:
big@boss.com, but its subject line is randomly chosen. Its infected
attachment is a .PIF file that can have one of four names. If
opened, it copies itself to a Windows folder as an .EXE, searches
the Windows local hard drive and tries to extract a list of
recipient email addresses to which the worm will attempt to send
infected emails.
"Today's viruses travel fast, and the Sobig worm is no
exception." said Carole Theriault, anti-virus consultant at Sophos.
"Everyone should always treat attachments with suspicion. Configure
your anti-virus gateway protection to block all executable file
types from even entering a company. Putting this in place will
significantly lower your chances of infection by a mass-mailing
worm masquerading as an innocent attachment."
If you have not already protected against W32/Sobig, Sophos
strongly recommends you update all installations of Sophos
Anti-Virus in your company.
How to avoid infection in the future
Update your corporate anti-virus software now so that you can
detect and prevent the W32/Sobig-A worm. If you
do not have procedures for rapid updates, implement them now,
because you are sure to need them again. Sophos Enterprise Manager is one way to help
automate protection updates inside your company.
If possible, block all Windows programs at your email gateway.
Some email applications can be configured to do this. It is rarely
necessary to allow users to receive programs via email. There is so
little to lose, and so much to gain, simply by blocking all
mailed-in programs, regardless of whether they contain viruses or
not. Sophos MailMonitor for SMTP
contains pro-active threat reduction technology which can help you
block dangerous filetypes and executable code at the email
gateway.
Many viruses have exploited loopholes in commonly used web
browsers and email software (e.g. Internet Explorer, Outlook and
Outlook Express) to increase their chances of spreading
effectively. Microsoft has issued a patch which addresses this and
other vulnerabilities, and it can be downloaded from www.microsoft.com/technet/security/bulletin/MS01-027.asp.
Every IT manager responsible for security should consider
subscribing to vulnerability mailing lists such as that operated by
Microsoft at www.microsoft.com/technet/security/bulletin/notify.asp.
Other vendors offer similar services.
If you are a home user you may like to consider visiting
windowsupdate.microsoft.com, a site run by
Microsoft, which can automatically scan your computer for
vulnerabilities and suggest which security patches need to be
downloaded.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.