Sobig-E isn't the first worm to try to Zip its way around the Internet. Worm writers have tried to embed malicious code in Zip files before, but this is the first time a piece of malicious code has had the capability to send itself out as a Zip file, experts said.
Currently, Sobig-E is spreading rapidly via e-mail and open network shares. Experts said this morning that the worm is a home user problem primarily, though it could find its way into some enterprise environments.
Sobig-E's arrival as a Zip file could allow it to slip past some antivirus scanners, such as those that generally strip executable files like .exe, .scr and .pif, for example. However, a user must travel an extra step with Sobig-E by unzipping the file and then double-clicking the file to execute the worm.
Like its four predecessors, the first of which arrived in January, Sobig-E does not auto-execute, which means that a user must fall for a bit of social engineering surrounding the worm. Sobig-E is capable of spoofing e-mail addresses and then sending itself via an internal SMTP engine. That could entice some users to proceed with executing the worm.
"People have to go the extra step, and it's that pause while they are unzipping [the file] when they should think 'Is this the smart thing to do?'," said Russ Cooper, editor of NTBugtraq and surgeon general with TruSecure Corp., a Herndon, Va.-based managed security services provider. "The social engineering isn't
Cooper said Sobig-E is gaining most of its traction via open network shares, and that should serve as a warning to enterprises to make sure remote connections and computers are secured.
"If a VPN user becomes infected because their kid opened the attachment and set it loose on a network share, then that's another story," Cooper said.
Generally, enterprises allow Zip files as attachments because, for the most part, they have a business use. Zip files compress larger files, enabling them to be forwarded more quickly through networks. Most virus scanners are capable of looking inside Zip files for infected files or prohibited file types.
"[Sobig-E] is a twist, however. Most file-blocking rules won't stop it," said Roger Thompson, vice president of development with PestPatrol Inc., in Carlisle, Pa. "All companies have to do is update their antivirus software to stop it. It's undetectable for a short time while companies get their virus definitions updated."
Cooper said that some antivirus scanners were able to detect the variant as Sobig; others must wait for an updated virus signature.
In the meantime, virus and worm authors may take a cue from Sobig-E and try Zip files as a future means of attack.
"The lesson here is not to rely on antivirus products to detect all viruses and worms," Cooper said.
FOR MORE INFORMATION: