août 26, 2003

SoBig seems to be SoMuch more

People need to be aware of the "So-Big" Internet virus/worm that is circulating now. It appears to be part of an organized set of experiments in how to effectively spread a virus that drops a "Trojan horse" or "back door" into a computer. This back door in turn may give a remote user access to your computer and any information stored on it.

What makes this virus special is it usually appears to come from someone you know or may have sent mail to (like a prospective employer). It places random subject lineson the messages it sends. On some it sends the socially engineered subject "Your Resume" or "Re: Resume".

Note: other Subject lines are generated as well. See the article above.

Now most people do not send emails with the subject line Resume but they might. People looking for jobs are usually thrilled to get a response (or what appears to be a response) to anything they send out and will eagerly open mail and attachments. That is social engineering like the I Love You virus that went around a while ago.

This virus needs your ACTIVE co-operation to actually work. The email will arrive with attachments in the form of a .pif file with different names. Trying to open the .pif attachment will execute the worm/Trojan horse.
Please note the program may say it is a picture attachment something like "coolpic.jpg.pif" or a word document like "resume.doc.pif". Many people will see the .jpg or .doc extension and not see/notice or understand the .pif appended to it. Examine attachment names thoroughly. No one should ever send you an attachment with a .pif or .exe file extension (there are several others but let's keep it as simple as possible).

This worm is very sophisticated and has it's own email engine. It will use your address book to construct emails that appear to be sent by some of your contacts to other of your contacts with a copy of itself attached.

The worm itself does no damage other than trying to spread itself. The backdoor installed however will run as a service and want access to the internet. This access will be blocked by the default installation of your firewall software, however many of us just click "allow access" to most applications without thinking about it. Once the Trojan has access to the net it notifies the "bad guys" that it is ready for instructions and sits and waits.

How to protect yourself:

You can set your email options to "quarantine" or block the opening of email attachments. This isn't practical for most of us but it SHOULD make us think before we click if we have to go change our email security policy to open an enclosed file. Opening an Email does NOT as a rule execute any programs so you can open emails. It is the attachments you need to look out for.

If you exchange attachments with people on a regular basis (you know who you are) you might want to place a "keyword" in the subject or body of the message that will let your friends know that you have really sent this message and can guarantee that it does not contain a virus. Worms will not know about this "keyword"... So people will always know if the mail is from you and not a virus posing as you.

Subscribe to an Antivirus service and set it to auto-update every night and then run a virus scan each day on all folders and compressed files. If it has an e-Mail scanning mode enable it. New variants of SoBig and other viruses are detected every day.

Install a firewall program. "ZoneAlarm" is free and easy to use, if you have Windows XP you can enable the built in IP Security Firewall service (IFS). When a "new" program wants access to the Internet as indicated by your firewall software ask yourself what is this program and why does it need access to the Internet? If you don't know ask Google about the program that wants access. This is a case where Just Say NO can be a good thing.

Often the Trojan horse software is named after a legitimate service that has been running on your machine. It installs itself in place of the legitimate service and changes your computer so the program is run every time you startup your machine. In most cases the name is a variant of the original service causing the firewall program to issue a warning that a new program needs internet access. The Trojan is designed to replace the service doing everything the service did before in addition to listening for instructions.

If you have had a firewall installed for several months chances are you rarely get prompted to allow a program internet access unless of course you installed a new program that needs to access the Internet. This usually sorts itself out after a few days of installing the firewall software. If you install a new program it may want access to the net to register itself or to look for updates, this is normal and expected behavior, if you haven't added anything recently you firewall software should be quiet and not inform you of new program needing access to the Internet

If you are using IRC/ICQ or P2P software you are increasing your exposure to viral threats. Sharing music files can be like sharing a dirty needle. IRC/ICQ is like having unprotected sex with multiple partners. A virus/worm does not just spread via email software.

Knowing the right thing to do is becoming more and more difficult. It is an unfortunate fact of Internet life. Practice safe computing. Keep your doors locked with a firewall and or router. A Virus scan is like getting a blood test to see if you have infections. e-mail scanners act like a prophylactic to prevent infections. Not opening attachments unless you know where they came from and what they are is just being responsible.

If you do online banking or taxes, if you have purchased something via the Internet or participated in an online auction, if you have disclosed personal information in an email to friends and family, this information is at risk. Take care of it.

And MAC and Linux users... don't be smug there are worms and Trojans that affect you too. They don't make the news because there are so few of you but you too can be hacked cracked and whacked

Posted by Philip at août 26, 2003 10:50 AM | TrackBack
Feel free to leave a comment. Your email address and IP address are recorded.
Links to your web space will be displayed if you leave one, your email address will not.
If your comment does not post it may be because of my spam filters.
You can send email to
Preview your comment if you wish to check your spelling.

Remember personal info?