~ Archive for August 19, 2003 ~

sobig.f on a rampage


A few people (e.g. red) at the Berkman Center have started getting lots and lots of messages infected with the W32.Sobig.F virus.

This is irritating for a couple of reasons.

1) It’s a drag to get lots of superfluous and possibly dangerous mail.

2) People will think you are infected with it, even when you aren’t. Sobig.F includes its own SMTP engine, which means that it talks directly with mail servers. This allows it to forge the address it alleges to be “from”. It also knows how to search through various files on an infected machine’s hard drive, and harvest email addresses. It uses these addresses both as a list of people to try to infect, and as a list of people from whom to pretend to have originated. So if your email address happens to be in a file which a Sobig virus looks at, people will get infected messages which claim to be from you. Some helpful souls will think that means you have a virus, and contact you. Some ill-guided institutions have doodads installed on their mail servers which automatically bounce virus-infected mail back to the “sender”, which is obviously dumb and confusing when the alleged sender is not the same as the infected person. It would be better to make these programs only bounce messages which contain viruses which actually use the real originating email address. In my opinion this behavior hovers somewhere along the border of unethical.

3) Sobig.F searches through cached webpages in addition to address books. If your address, like  bloggercon at cyber.law.harvard.edu or  cyber at law.harvard.edu, is in a lot of reasonably popular webpages, it will be cached on many machines and you will get a Lot of mail from a Lot of different people, and probably have your address forged on a Lot of infected emails.

4) The Sobig.F messages are, well, so big! The attachment is like 100k. If you have a quota on your mailbox and are getting lots of these, they might flood you.

So how do we deal with this? There is, unfortunately, no way to get the deluge of mail to stop, since it’s close to impossible to figure out whom an infected message is actually originating from. But here are a few things you can do:

1) Make sure you have have up-to-date virus software, so at least you can avoid the indignity of getting infected. If you’re at Berkman and your machine is on the network you’re fine. Otherwise you should make sure your virus definitions are very recent. I don’t know about other vendors, but Symantec just released their sobig.f definition today.

2) Everyone knows not to open attachments with extensions like .exe and .bat. However, Sobig.F uses .pif and .scr as its filename extensions. Don’t open attachments with these names either. And for Pete’s sake, don’t open attachments from people you don’t know. This is not burdensome paranoia – it’s common sense.

3) Cultivate forbearance and cunning. If you’re only getting a few of these messages, you can grin and bear it. If they’re really bugging you, it might be worthwhile to invest some time in setting up filters in your email program to delete these messages automatically, or move them to some other folder. There are only a half-dozen or so subject-headings that Sobig.F uses, and there are some other characteristics all infected emails will share, such as the presence of an attachment and certain text in the body.

If you want to know more, find a removal tool, etc., you can consult this excellent information page from Symantec or this from Sophos. Lots more details there.

Log in