Sophos technical support has advised customers that it is receiving many reports from computer users of the W32/Sobig-F mass-mailing worm.
The Sobig-F worm, which can spread via email, has been reportedly sighted in large numbers. When arriving via email the worm can pose as an attached PIF or SCR file. Launching the attached file infects the computer.
"The author of the Sobig worms has pulled this particular confidence trick several times before," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Many users know to be cautious about running unsolicited EXE files, but they should be equally wary about running PIF files or screensavers. All computer users should exercise caution when deciding what is safe to run on their computers."
Subject lines used are taken from a list, including "Re: That movie", "Re: Wicked screensaver", "Re: Approved" and "Your details". Like other variants of Sobig, the worm is programmed to stop working on a particular date; in this case, 10 September, 2003.
"Putting a 'dead-date' on his viruses suggests that the Sobig author is effectively test-driving his creations to see which tricks work best from the technical and psychological point of view," continued Cluley. "Releasing Sobig variants on different days of the week, and using slightly different subject lines and filenames, suggests that the worm's author may be trying to find the 'perfect' conditions under which his viruses can spread most quickly."
Sophos issued protection against the W32/Sobig-F worm at 10:37 GMT on Tuesday, 19 August 2003.
How to avoid infection in the future
If you have not already protected against W32/Sobig-F, Sophos strongly recommends you update all installations of Sophos Anti-Virus in your company.
Update your corporate anti-virus software now so that you can detect and prevent the W32/Sobig-F worm. If you do not have procedures for rapid updates, implement them now, because you are sure to need them again. Sophos Enterprise Manager is one way to help automate protection updates inside your company.
If possible, block all Windows programs at your email gateway. Some email applications can be configured to do this. It is rarely necessary to allow users to receive programs via email. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not. Sophos MailMonitor for SMTP contains pro-active threat reduction technology which can help you block dangerous filetypes and executable code at the email gateway.
Further reading: Read instructions on how to remove the W32/Sobig-F worm and ensure your system is not vulnerable to reinfection.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.