Unzip at Your Peril – It May be Sobig Worm

Sophos’s customer support service has received many reports from businesses attacked by the latest variant of the Sobig worm.

Sobig-E (W32/Sobig-E), first seen 25th June, is the fifth variant of the Sobig worm – but varies from its older siblings as it spreads itself in the form of a ZIP file.

Even though the user has to unZIP the offending file and launch its content to become infected, some business networks are still falling victim to the worm. Sophos advises all businesses to keep their virus protection up-to-date and educate their users about the perils of unsolicited code.

“Sobig-E is different from your typical worm as it spreads as a ZIP file. This means even if a company has a forward-thinking security policy of blocking executable code – the usual carrier for email worms – Sobig-E can sneak past and dupe people into running its code,” said Graham Cluley, senior technology consultant for Sophos Anti-Virus. “The best defence against Sobig-E is to get into the habit of never running unsolicited code and keep your email gateway and desktop virus protection up-to-date.”

Sobig-E is programmed to fall dormant on 14 July, indeed all the Sobig worms have had limited lifespans. If the virus writer continues with this pattern, Sophos says it would not be surprised if a sixth version of the worm were released shortly after the demise of Sobig-E.

More details of Sobig-E can be found at: