De-Worming Mail Servers

By Dennis Fisher  |  Posted 2003-08-25 Print this article Print

Mass-mailed worms AIL enterprises.

Welcome to the summer of the Worm. Just eight days after Blaster began chewing its way through the Internet, another variant of the SoBig worm appeared last week, further burdening already-overworked IT and security staffs. As annoying and potentially dangerous as Blaster is, mass-mailing worms such as SoBig are perhaps worse from an enterprise perspective, thanks to their propensity for clogging mail servers and flooding users in-boxes with electronic flotsam.

Worm food
Recent outbreaks and their effects
Virus Effects
MiMail 342,000 copies seen
Blaster Approximately 400,000 machines infected
SoBig.F 380,000-plus copies
Sources: MessageLabs, Symantec
Known as SoBig.F, the new variant behaves much like its older siblings, infecting Windows machines via e-mail and sending out dozens of copies of itself.

The variant began spreading on the morning of Aug. 19, and by noon, MessageLabs Inc. had stopped more than 100,000 copies. The virus size is approximately 73KB, and the attachment that actually contains the malicious code can carry any one of a number of names, according to iDefense Inc., a security company based in Reston, Va. To evade anti-virus scanners, SoBig.F has a few bytes of garbage at the end of the file, which changes the files size and characteristics.

This is the sixth version of SoBig to be released. Anti-virus experts say one of the main reasons virus writers continue to modify and re-release this particular piece of malware is that it downloads a Trojan horse to infected computers, which are then used to send spam. Spammers are constantly in need of new machines through which to route their garbage e-mail, and a virus makes a perfect delivery mechanism for the engine they use for their mass mailings.

The other reason that SoBig seems to be so popular with virus writers is that it works. Plain and simple, users continue to open attachments from people they dont know, even after repeated warnings not to do so.

"Six times a charm when it comes to SoBig, which certainly calls into question why these fairly simple malware attacks continue to successfully propagate," said Ian Hameroff, eTrust security strategist at Computer Associates International Inc., based in Islandia, N.Y.

SoBig.Fs arrival comes just eight days after the initial onset of the Blaster worm, which has infected several hundred thousand Windows PCs. Blaster, which exploits a flaw in the Remote Procedure Call Distributed Component Object Model interface on Windows 2000 and Windows XP machines, also spawned an imitator last week. A worm known as Blaster.D, or Nachi, began spreading Aug. 18, using the same flaw to compromise systems. Nachi, however, also removed the original Blaster worm from infected PCs and attempted to download and install the patch from Microsoft Corp. for the DCOM vulnerability.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel