Security news
Security news15 January 2003
Sobig and getting bigger
Five days after its first appearance, the W32/Sobig-A worm continues to cause problems. Sophos has received an increasing number of request for information about how to protect against the worm.
The email always has the following address in its 'From' field: big@boss.com, but its subject line is randomly chosen. Its infected attachment is a .PIF file that can have one of four names. If opened, it copies itself to a Windows folder as an .EXE, searches the Windows local hard drive and tries to extract a list of recipient email addresses to which the worm will attempt to send infected emails.
"Today's viruses travel fast, and the Sobig worm is no exception." said Carole Theriault, anti-virus consultant at Sophos. "Everyone should always treat attachments with suspicion. Configure your anti-virus gateway protection to block all executable file types from even entering a company. Putting this in place will significantly lower your chances of infection by a mass-mailing worm masquerading as an innocent attachment."
If you have not already protected against W32/Sobig, Sophos strongly recommends you update all installations of Sophos Anti-Virus in your company.
How to avoid infection in the future
Update your corporate anti-virus software now so that you can detect and prevent the W32/Sobig-A worm. If you do not have procedures for rapid updates, implement them now, because you are sure to need them again. Sophos Enterprise Manager is one way to help automate protection updates inside your company.
If possible, block all Windows programs at your email gateway. Some email applications can be configured to do this. It is rarely necessary to allow users to receive programs via email. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not. Sophos MailMonitor for SMTP contains pro-active threat reduction technology which can help you block dangerous filetypes and executable code at the email gateway.
Many viruses have exploited loopholes in commonly used web browsers and email software (e.g. Internet Explorer, Outlook and Outlook Express) to increase their chances of spreading effectively. Microsoft has issued a patch which addresses this and other vulnerabilities, and it can be downloaded from www.microsoft.com/technet/security/bulletin/MS01-027.asp.
Every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.asp. Other vendors offer similar services.
If you are a home user you may like to consider visiting windowsupdate.microsoft.com, a site run by Microsoft, which can automatically scan your computer for vulnerabilities and suggest which security patches need to be downloaded.
