The Bibrog worm: Sophos says stay ahead of the game

March 14, 2003 Sophos Press Release

A new email-aware worm, W32/Bibrog-B, poses as a computer game in an attempt to lure unsuspecting users into launching it.

Game

However, whilst the shooting game is running the worm is copying itself across the user's hard drive and preparing to forward itself to all contacts in the Outlook address book. Furthermore, it attempts to spread itself using the KaZaA, Grokster and Morpheus internet file-sharing systems.

In a final devious payload the worm makes changes to an infected user's internet browser such that it can display fake versions of genuine websites such as Hotmail, Citibank, MSN and Yahoo, in an attempt to steal usernames and passwords.

"Many people assume a virus that destroys data is as bad as it gets. However, a virus which can swipe confidential details such as account information is a much greater potential danger," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Companies should inform their users that running unauthorised programs such as games and screensavers on their business computers is unacceptable because of the risks of virus attack."

Furthermore, Sophos recommends companies consider blocking all Windows programs at their email gateway. It is rarely necessary to allow users to receive programs via email from the outside world. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not. Sophos MailMonitor for SMTP contains pro-active threat reduction technology which can help businesses block dangerous filetypes and executable code at the email gateway.

Sophos customers who have kept their anti-virus software up-to-date are automatically protected against W32/Bibrog-B. Users of other anti-virus products are recommended to update their software.