Sophos, a global leader in anti-virus protection for businesses,
has warned that a new email-aware worm is spreading, disguised as
an email appearing to come from Microsoft's technical support
The worm, known as W32/Sobig-B, pretends to
come from email@example.com and contains the message text "All
information is in the attached file".
The attached file is a Windows program with a "PIF" extension.
If users open the attachment then they will infect themselves
immediately. W32/Sobig-B copies itself to the Windows folder,
scoops up email addresses it finds on the user's hard disk, and
then starts sending itself out by email.
"Many users who are wary of EXE and VBS files which arrive in
their email may not realise that PIF files are equally capable of
being malicious," said Graham Cluley, senior technology consultant
for Sophos Anti-Virus. "Microsoft technical support does not send
out files in this way, and users should think twice before they
Sophos recommends companies consider blocking all Windows
programs at their email gateway. It is rarely necessary to allow
users to receive programs via email from the outside world. There
is so little to lose, and so much to gain, simply by blocking all
emailed programs, regardless of whether they contain viruses or
not. Users of Sophos MailMonitor for SMTP can achieve this through
"Best practice for business should include automatic blocking of
all executable code at the email gateway," continued Cluley. "At
the very least, all PIF files should be blocked. There should never
be any need to distribute genuine PIF files - which are really just
a type of shortcut - via email."