ME and Ophelia
Friday, August 22, 2003
SOPHOS ADVISES ON HOW TO PROTECT AGAINST SOBIG-F
SECOND WAVE ATTACK
Sophos researchers have published information on a second
wave attack which the Sobig-F worm may attempt to make
in the coming hours.
On infected PCs, Sobig-F will attempt to download code from
the internet and then run it on the computer. This occurs
on Fridays and Sundays at 19:00-22:00 GMT. This equates
to the following times in different parts of the world:
Los Angeles 12 noon - 3:00pm
Boston 3:00pm - 6:00pm
London 8:00pm - 11:00pm
Berlin 9:00pm - 12:00 midnight
Hong Kong 3:00am - 6:00am (Saturday and Monday)
Tokyo 4:00am - 7:00am (Saturday and Monday)
Sydney 5:00am - 8:00am (Saturday and Monday)
(Note that because of time differences, the attempt
to download code will happen on Saturdays and Mondays
in the Far East and Australasia).
The worm has been programmed to automatically direct infected
PCs to a server controlled by the virus writer from which a
malicious program could be downloaded. At the moment, it is
not known what the download material will do, but
possibilities include launching another virus or spam
attack, collecting sensitive information, or deleting
files stored on an infected computer or network.
More details on how to prevent the download happening on
your computers, and information on how to clean-up
a Sobig infection, are available at the following urls:
Sophos virus analysis: W32/Sobig-F
Sophos: W32/Sobig-F disinfection instructions and FAQ
Sobig-F worm has twist in tail - Sophos warns of possible "Trojan horse" download
HOW TO AVOID INFECTION IN THE FUTURE
If you have not already protected against W32/Sobig-F,
Sophos strongly recommends you update all installations of
Sophos Anti-Virus in your company.
Update your corporate anti-virus software now so that
you can detect and prevent the W32/Sobig-F worm. If you
do not have procedures for rapid updates, implement them
now, because you are sure to need them again. Sophos
Enterprise Manager is one way to help automate protection
updates inside your company. More details are available at:
Sophos products
Ensure you are signed-up to Sophos's email list for
notification of every new virus found in the wild.
Sophos email notification
If possible, block all Windows programs at your email gateway.
Some email applications can be configured to do this. It is
rarely necessary to allow users to receive programs via email.
There is so little to lose, and so much to gain, simply by
blocking all mailed-in programs, regardless of whether they
contain viruses or not. Sophos MailMonitor for SMTP contains
pro-active threat reduction technology which can help you
block dangerous filetypes and executable code at the email
gateway. More details are available at:
Sophos products
Sophos also recommends companies consider adding Sophos's free
virus infofeed to their public websites or intranet to keep
their users informed of the very latest virus threats. The
feeds are simple to add and easy to configure, ensuring you
always have up-to-the-minute information.
Read more about our virus and hoax info feeds at:
Virus and hoax information feeds
________________________________________________________
SECOND WAVE ATTACK
Sophos researchers have published information on a second
wave attack which the Sobig-F worm may attempt to make
in the coming hours.
On infected PCs, Sobig-F will attempt to download code from
the internet and then run it on the computer. This occurs
on Fridays and Sundays at 19:00-22:00 GMT. This equates
to the following times in different parts of the world:
Los Angeles 12 noon - 3:00pm
Boston 3:00pm - 6:00pm
London 8:00pm - 11:00pm
Berlin 9:00pm - 12:00 midnight
Hong Kong 3:00am - 6:00am (Saturday and Monday)
Tokyo 4:00am - 7:00am (Saturday and Monday)
Sydney 5:00am - 8:00am (Saturday and Monday)
(Note that because of time differences, the attempt
to download code will happen on Saturdays and Mondays
in the Far East and Australasia).
The worm has been programmed to automatically direct infected
PCs to a server controlled by the virus writer from which a
malicious program could be downloaded. At the moment, it is
not known what the download material will do, but
possibilities include launching another virus or spam
attack, collecting sensitive information, or deleting
files stored on an infected computer or network.
More details on how to prevent the download happening on
your computers, and information on how to clean-up
a Sobig infection, are available at the following urls:
Sophos virus analysis: W32/Sobig-F
Sophos: W32/Sobig-F disinfection instructions and FAQ
Sobig-F worm has twist in tail - Sophos warns of possible "Trojan horse" download
HOW TO AVOID INFECTION IN THE FUTURE
If you have not already protected against W32/Sobig-F,
Sophos strongly recommends you update all installations of
Sophos Anti-Virus in your company.
Update your corporate anti-virus software now so that
you can detect and prevent the W32/Sobig-F worm. If you
do not have procedures for rapid updates, implement them
now, because you are sure to need them again. Sophos
Enterprise Manager is one way to help automate protection
updates inside your company. More details are available at:
Sophos products
Ensure you are signed-up to Sophos's email list for
notification of every new virus found in the wild.
Sophos email notification
If possible, block all Windows programs at your email gateway.
Some email applications can be configured to do this. It is
rarely necessary to allow users to receive programs via email.
There is so little to lose, and so much to gain, simply by
blocking all mailed-in programs, regardless of whether they
contain viruses or not. Sophos MailMonitor for SMTP contains
pro-active threat reduction technology which can help you
block dangerous filetypes and executable code at the email
gateway. More details are available at:
Sophos products
Sophos also recommends companies consider adding Sophos's free
virus infofeed to their public websites or intranet to keep
their users informed of the very latest virus threats. The
feeds are simple to add and easy to configure, ensuring you
always have up-to-the-minute information.
Read more about our virus and hoax info feeds at:
Virus and hoax information feeds
________________________________________________________