Clearswift’s ThreatLab Warns W32/Sobig Worm Variants Imminent

Sobig Proactively Stopped by Clearswift’ CS MAILsweeperâ„? for SMTP

London, UK—September 17, 2003—Clearswift, the world leader in managing and securing electronic communications, warned today that variants of W32/Sobig are imminent. Many companies suffered serious inconvenience due to the unprecedented spread of the recent Sobig.F worm which was pre-programmed to self-terminate on September 10, 2003.

“Sobig was the sixth in a series of controlled experiments by the creator of this worm,” said Pete Simpson, ThreatLab manager at Clearswift. “We fully expect to see a seventh emerge in the very near future. The intervals between the cessation of the virus spreading and the release of a new version have varied from less than 7 to more than 35 days.”

Clearswift’s ThreatLab has conducted a full analysis of the values used by the last six versions of the worm, and has concluded that there are consistent string values that are likely to be reused by the worm in future variants. Clearswift recommends using lexical analysis tools, available in CS MAILsweeperâ„? for SMTP and ES ClearEdgeâ„?, to proactively block by common string values, attached file type and/or executables to avoid the immanent onslaught of Sobig variants.

New Viruses—Criminal Ends—Huge Financial Stakes
Prior to the advent of Sobig.A in January 2003, virus writers could be rather neatly categorized into two simple camps: those seeking to gain infamy by spreading their works as far and wide as possible; and those motivated by the intellectual challenge, who rather than release a virus into the wild, would make a copy available to antivirus companies to prove their technical prowess.

The recent series of Sobig worms, fall into neither of these categories. They represent a controlled project, motivated by a new set of objectives.

Said Pete Simpson, “We are now seeing a new evolutionary stage with the coming together of the skill sets of the virus writer, the hacker, the spammer and the fraudster. Hijacking PCs, as a means to various criminal ends, rather than simple infection is the name of the new game. The financial stakes are potentially huge.”

Defusing the Variants
The key to defusing W32/Sobig.F and other threats is finding them. CS MAILsweeperâ„? for SMTP does this extremely well using recursive disassembly to reduce e-mail into its most basic components—decoded, decompressed, and split into subject line, message body and attachments. That means even viruses or other threats such as Trojan Horses hidden in Excel spreadsheets within Word documents in compressed attachments are discovered. CS MAILsweeperâ„? for SMTP will protect entire networks from a new threat with a simple change made only once at the SMTP gateway.

Companies who are concerned about security and productivity issues such as these and want advice on additional protection measures should contact Clearswift at +44 (0) 118 903 8903

About Clearswift

Clearswift is the world’s leading provider of software for managing and securing electronic communications. Clearswift delivers the capabilities for organizations to protect themselves against email and web-based threats, meet legal and regulatory requirements, implement productivity-saving policies and manage intellectual property passing through their network.

The company’s expertise lies in establishing and enforcing e-policies. Content security threats include the circulation of inappropriate images and text, spam and oversize files, loss and corruption of data, breaches of confidentiality, as well as viruses and malicious code. Clearswift’s software portfolio includes Clearswift MIMEsweeperâ„?, a product family for email and web e-policies and Clearswift ENTERPRISEsuiteâ„?, a software infrastructure for managing e-policies in complex environments. More information about Clearswift, its products and services is available at

Don't miss