Sobig.E@MM worm spreading around globe.

Source: Computerworld ^ | June 26, 2003 | By TODD R. WEISS

[New Horizon]

The latest version of the Sobig worm is making its way through computer networks around the world, apparently causing no direct damage but hogging bandwidth and IT resources in its path. The new worm, called W32.Sobig.E@MM, has been showing up around the globe since yesterday, according to Graham Cluley, senior technical consultant for antivirus software vendor Sophos PLC in Oxford, England. So far, it's only annoying, but it could be a precursor to more serious and damaging attacks, he said.

The worm affects network PCs that run the Windows 95/98/Me and Windows NT/2000 operating systems, according to Sophos. It spreads by scouring an infected computer's hard drive for e-mail addresses in address books or even Web browser cache files, then sends itself out to the addresses it finds. It can spoof its sender's address, so the recipients believe they are receiving a message from someone they know.

This is the latest in a series of Sobig worms in recent months, Cluley said. The new version is being sent as a .zip file, perhaps to allow it to spread in corporate environments where .exe and other file types are automatically blocked in incoming e-mails, he said. "It's hard to speculate" why the new approach was taken, Cluley said.

While the virus does no actual harm, the spoofed messages can elicit anger from customers and users who receive the worm, Cluley said. He noted that a future version of the worm could be used to set up infected machines so that they can relay spoofed messages that could be used for destructive purposes.

The new worm is set to automatically time itself out and stop spreading on July 14, according to Sophos. One reason for the ending date, Cluley said, is that the virus creator may believe that it would provide a good defense if he is caught and prosecuted. "In our minds, that's nonsense, because a virus like this can spread around the world in a matter of hours," which makes an ending date a moot issue, he said.

Marty Lindner, a team leader for incident handling at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, said the rapid spread of the worm since yesterday means recipients are still opening files in messages even when they have been warned countless times that it's unsafe to do so.

The virus apparently spread too quickly for the antivirus vendors to react and update their antivirus products, he said.

"This is a good indication of the viruses winning" this round, Lindner said. "You can't always rely on antivirus as the silver bullet." Users need to pay more attention to incoming files and e-mail and not open files if they're not expecting to receive them for specific reasons, he said.

Also posting warnings, information and fixes for the Sobig-E worm are vendors Symantec Corp. and McAfee Security.

The subject line of the worm identifies itself as an application, movie, document, screensaver or application, in addition to other variants.

The prior version, SoBig-D was first seen last week. Earlier versions of the worm, such as W32/Sobig-C and W32/Sobig-B, would sometimes purport to come from Bill Gates at Microsoft or Microsoft technical support, according to Sophos.

[Semper Paratus]

Damn Outlook.

Norton Anti-virus already has an update for this.

[RonF]

Sobig.E@MM worm Idiots who won't stop opening e-mail attachments spreading around globe.

There. Fixed it.

[New Horizon]

LOL...posted this because we're geting hit pretty hard here. My Norton AV is catching it all, but it's gaining some speed.

[Tank-FL]

I got hit on about 150 pc's in our shop today, Symantec Corporate did the job and quarantined the files.

If you want a sample let me know.. I can it to you.. safely.. promise

FYI, in Outlook Express the zip comes in and if the user opens the zip file and clicks the pif. BANG you got it.

Update those def files guys.

[Maceman]

I got this virus in three e-mails yesterday.

The first one, which came in an e-mail from a real person at Children's Hospital in Brookline Mass (tch.harvard.edu) was not recognized by Norton Anti-virus.

Since I did not know the person, and it contained a .zip attachment, I deleted it immediately.

Norton caught and deleted the second two messages.

Personlly, I think virus creators should be put to death like old time horse thieves.

[Publius6961]

This is really irritating, since zip files are one of the few remaining safe means to send genuinely usefull files of certain types.

[New Horizon]

I especially like this line:

This is the latest in a series of Sobig worms in recent months, Cluley said. The new version is being sent as a .zip file, perhaps to allow it to spread in corporate environments where .exe and other file types are automatically blocked in incoming e-mails, he said. "It's hard to speculate" why the new approach was taken, Cluley said.

The "new approach" was taken because Outlook automatically blocks access to .exe .pif, etc. but will let zipped files right on through. That's kind-of a no-brainer, isn't it?

[New Horizon]

Worry not...Microsoft will protect us by automatically blocking access to .zip in the next release!

You're absolutely right...basically anything that is not zipped is not shipped through email.

Hey, you can always rename the file extension...oh, that's right, file extensions are now hidden by default. What's a file extension???