Sophos technical support has advised customers that it is
receiving many reports from computer users of the W32/Sobig-F mass-mailing
worm.
The Sobig-F worm, which can spread via email, has been
reportedly sighted in large numbers. When arriving via email the
worm can pose as an attached PIF or SCR file. Launching the
attached file infects the computer.
"The author of the Sobig worms has pulled this particular
confidence trick several times before," said Graham Cluley, senior
technology consultant for Sophos Anti-Virus. "Many users know to be
cautious about running unsolicited EXE files, but they should be
equally wary about running PIF files or screensavers. All computer
users should exercise caution when deciding what is safe to run on
their computers."
Subject lines used are taken from a list, including "Re: That
movie", "Re: Wicked screensaver", "Re: Approved" and "Your
details". Like other variants of Sobig, the worm is programmed to
stop working on a particular date; in this case, 10 September,
2003.
"Putting a 'dead-date' on his viruses suggests that the Sobig
author is effectively test-driving his creations to see which
tricks work best from the technical and psychological point of
view," continued Cluley. "Releasing Sobig variants on different
days of the week, and using slightly different subject lines and
filenames, suggests that the worm's author may be trying to find
the 'perfect' conditions under which his viruses can spread most
quickly."
Sophos issued protection against the W32/Sobig-F worm at 10:37
GMT on Tuesday, 19 August 2003.
How to avoid infection in the future
If you have not already protected against W32/Sobig-F, Sophos
strongly recommends you update all installations of Sophos
Anti-Virus in your company.
Update your corporate anti-virus software now so that you can
detect and prevent the W32/Sobig-F worm. If you do not have
procedures for rapid updates, implement them now, because you are
sure to need them again. Sophos Enterprise
Manager is one way to help automate protection updates inside
your company.
If possible, block all Windows programs at your email gateway.
Some email applications can be configured to do this. It is rarely
necessary to allow users to receive programs via email. There is so
little to lose, and so much to gain, simply by blocking all
mailed-in programs, regardless of whether they contain viruses or
not. Sophos MailMonitor for SMTP
contains pro-active threat reduction technology which can help you
block dangerous filetypes and executable code at the email
gateway.
Further reading: Read instructions on how to
remove the W32/Sobig-F worm and ensure your system is not
vulnerable to reinfection.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.