Heads-up: Possible Sobig-F second wave attack

Fri Aug 22 14:49:02 IST 2003

Hi.

I just received this from Sophos.   People may want to check firewall and
mail gateway configurations before the weekend (Bank Holiday in the UK...)

It's a pity they don't say what mechanism is likely to be used for any code
download, however I would guess at either HTTP, or possibly port 25 on a
remote server, even if the mechanism isn't really SMTP.

Antony.

----------  Forwarded Message  ----------

Subject: Sophos: How to protect against Sobig-F second wave attack
Date: Fri, 22 Aug 2003 14:26:14 +0100
From: Sophos Alert System <emergency-return at lists.sophos.com>
To: emergency at lists.sophos.com

SOPHOS ADVISES ON HOW TO PROTECT AGAINST SOBIG-F SECOND WAVE ATTACK

Sophos researchers have published information on a second
wave attack which the Sobig-F worm may attempt to make
in the coming hours.

On infected PCs, Sobig-F will attempt to download code from
the internet and then run it on the computer.  This occurs
on Fridays and Sundays at 19:00-22:00 GMT.  This equates
to the following times in different parts of the world:

Los Angeles    12 noon -  3:00pm
     Boston    3:00pm  -  6:00pm
     London    8:00pm  - 11:00pm
     Berlin    9:00pm  - 12:00 midnight
  Hong Kong    3:00am  -  6:00am (Saturday and Monday)
      Tokyo    4:00am  -  7:00am (Saturday and Monday)
     Sydney    5:00am  -  8:00am (Saturday and Monday)

(Note that because of time differences, the attempt
to download code will happen on Saturdays and Mondays
in the Far East and Australasia).

The worm has been programmed to automatically direct infected
PCs to a server controlled by the virus writer from which a
malicious program could be downloaded. At the moment, it is
not known what the download material will do, but
possibilities include launching another virus or spam
attack, collecting sensitive information, or deleting
files stored on an infected computer or network.

More details on how to prevent the download happening on
your computers, and information on how to clean-up
a Sobig infection, are available at the following urls:

  http://www.sophos.com/virusinfo/analyses/w32sobigf.html
  http://www.sophos.com/sobig
  http://www.sophos.com/virusinfo/articles/sobigextra.html

HOW TO AVOID INFECTION IN THE FUTURE

If you have not already protected against W32/Sobig-F,
Sophos strongly recommends you update all installations of
Sophos Anti-Virus in your company.

Update your corporate anti-virus software now so that
you can detect and prevent the W32/Sobig-F worm. If you
do not have procedures for rapid updates, implement them
now, because you are sure to need them again. Sophos
Enterprise Manager is one way to help automate protection
updates inside your company.  More details are availble at:

  http://www.sophos.com/products/em/

Ensure you are signed-up to Sophos's email list for
notification of every new virus found in the wild.

  http://www.sophos.com/virusinfo/infofeed/

If possible, block all Windows programs at your email gateway.
Some email applications can be configured to do this. It is
rarely necessary to allow users to receive programs via email.
There is so little to lose, and so much to gain, simply by
blocking all mailed-in programs, regardless of whether they
contain viruses or not. Sophos MailMonitor for SMTP contains
pro-active threat reduction technology which can help you
block dangerous filetypes and executable code at the email
gateway.  More details are available at:

  http://www.sophos.com/products/mm/

-------------------------------------------------------

--

If at first you don't succeed, destroy all the evidence that you tried.