Press Releases

Browse our press release archive

19 Sep 2003

Gibe-F worm is easy to avoid, says Sophos

MessageSophos, a world leader in anti-virus protection for businesses, has issued a warning of a new Windows worm, named W32/Gibe-F (also known as Swen), which arrives as an email attachment masquerading as a security patch.

The emails sent out by the worm include a message which is randomly constructed from a wide range of realistic-sounding phrases, so there is no fixed text to watch out for. But companies such as Microsoft never send out security patches by email, which makes the Gibe worm a dead giveaway.

If an infected attachment is opened, the Gibe worm starts to spread. It covers its tracks by producing just the sort of message you might expect from a security patch, such as "Microsoft Internet Update Pack - This update does not need to be installed on this system", or "This will install Microsoft Security Update. Do you wish to continue?".

In the background, however, Gibe searches your hard disk for email addresses and sends out a copy of itself to each of them. Gibe tries to switch off a range of security and anti-virus products - which may open you up to reinfection by older viruses against which you thought yourself safe.

Gibe also attempts to spread using peer-to-peer networking by copying itself to KaZaA shared folders. Here, it disguises itself with the sort of filename that has become typical amongst virus writers, implying it has something to do with porn, drugs, hacking and even virus cleanup.

"Recent virus outbreaks such as BlasterNachi and Sobig-F have raised many users' awareness of computer security," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Users may think it is a good idea to install any security patch which is sent to them. Unfortunately, they may be falling straight into the virus writer's hands."

Sophos offers the following advice:

  • Never accept security updates which arrive as email attachments. (For that matter, don't blindly follow web links which arrive by email, either, especially if they take you directly to a software download.)
  • If you have a mail server which can block attachments (such as Sophos MailMonitor for SMTP), disallow the sending or receiving of attachments which contain programs. It is almost impossible to make a business case for using email to distribute programs, on account of the associated dangers.
  • Update your anti-virus software regularly so you can identify new worms and viruses effectively and accurately.
  • Emails which sound too strange to be true, or sound too good to be true, or are just too conveniently-timed to be true, probably aren't true. You don't need to be cynical or paranoid to exercise caution!
  • If you have peer-to-peer file sharing programs installed on your company's network, consider removing them. It is almost impossible to make a business case for unregulated file sharing across the internet, on account of the associated dangers.
  • Doing nothing about viruses and worms is not an option. Once infected by a worm like Gibe, your computer will try to send the worm to as many other potential victims as it can. Even if you don't care about your computer, be considerate of the effect that your carelessness might have on other internet users.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at