The Lovgate affair: a storm in a teacup?

February 25, 2003 Sophos Press Release

Since Monday morning "Lovgate" has been the most commonly searched for phrase on the Sophos website as people hunt for information on the new computer worm which distributes itself using a variety of different filenames, including hamster.exe. However, Sophos technical support has not seen a correspondingly high number of reports from businesses actually infected by the virus.

W32/Lovgate-B (also known as Lovgate-C by some anti-virus products) has been widely written about by the media following high-level warnings from some anti-virus companies. Sophos, however, believes that reports of the worm are dwarfed by other viruses which have been spreading for longer, such as W32/Klez-H and W32/Sobig-A.

"It appears the "high" assessment given to this virus by some anti-virus companies describes the concern that has generated about it better than it describes its actual worldwide prevalence," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Although Lovgate is being seen in the wild it is not being encountered anything like as much as old faithfuls like Klez-H. Companies who practise safe computing and block executable code at the email gateway are unlikely to be at much risk".

Sophos believes that mass-mailing viruses can easily become over-reported, especially in statistics derived from email gateway detections alone. This is because an email which contains a copy of a virus does not necessarily correspond with an infection by the virus. After all, 10,000 copies of the virus in emails which aren't actually deliverable at their final destination (and which would ultimately be discarded anyway) might clock 10,000 hits at the email gateway which is blocking that virus.

How to help avoid infection in the future

Update your corporate anti-virus software now so that you can detect those viruses which are spreading in the wild. If you do not have procedures for rapid updates, implement them now, because you are sure to need them again. Sophos Enterprise Manager is one way to help automate protection updates inside your company.

If possible, block all Windows programs at your email gateway. Some email applications can be configured to do this. It is rarely necessary to allow users to receive programs via email. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not. Sophos MailMonitor for SMTP contains pro-active threat reduction technology which can help you block dangerous filetypes and executable code at the email gateway.