Sobig-B worm disguises itself as an email from Microsoft, Sophos advises

May 19, 2003 Sophos Press Release

Emails infected with W32/Sobig-B

Sophos, a global leader in anti-virus protection for businesses, has warned that a new email-aware worm is spreading, disguised as an email appearing to come from Microsoft's technical support department.

The worm, known as W32/Sobig-B, pretends to come from support@microsoft.com and contains the message text "All information is in the attached file".

The attached file is a Windows program with a "PIF" extension. If users open the attachment then they will infect themselves immediately. W32/Sobig-B copies itself to the Windows folder, scoops up email addresses it finds on the user's hard disk, and then starts sending itself out by email.

"Many users who are wary of EXE and VBS files which arrive in their email may not realise that PIF files are equally capable of being malicious," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Microsoft technical support does not send out files in this way, and users should think twice before they click."

Sophos recommends companies consider blocking all Windows programs at their email gateway. It is rarely necessary to allow users to receive programs via email from the outside world. There is so little to lose, and so much to gain, simply by blocking all emailed programs, regardless of whether they contain viruses or not. Users of Sophos MailMonitor for SMTP can achieve this through its threat reduction capability.

"Best practice for business should include automatic blocking of all executable code at the email gateway," continued Cluley. "At the very least, all PIF files should be blocked. There should never be any need to distribute genuine PIF files - which are really just a type of shortcut - via email."