I had another Byte written for today – but something horrible has happened to change all of my priorities. I am being targeted by the sobig email virus. The good news is that I have two layers of virus protection that strip the virus (which is an attachment) from the message; the bad news is that I still get the messages and for one of my filters to work I have to select OK each time a bad message comes in.I have hit OK about 250 times since yesterday morning! The first thing to know is that the virus selects random victims. If you haven’t been hit you are lucky and probably want to only peruse this Byte – but for those who have been hit, here’s the scoop on our shared enemy.

So what is Sobig? It is a virus that first appeared early this year. Yesterday is started showing up again. It comes with subject line that typically says “re:details,” “details,” “your details,” “thank you,” or “resume.” The sender is disguised as someone that may be familiar to you, such as the name of a company or person. The virus is in the attachment.

Once the attachment containing the virus is opened, Sobig steals E-mail addresses from several different locations on the computer, including the Windows address book and Internet cache, then sends copies of itself out to those addresses. The virus, which sends multiple emails concurrently, selects addresses randomly for use as the sender, attempting to fool recipients into thinking the E-mail is from a company or other legitimate source. (Luckily the virus does not appear to delete or damage files.)

Apparently you can be listed as a sender even if you are not the sender and you have not been infected with the virus. This happened to me so among my 250 infected emails I also received 3-4 messages saying my email had not been sent to the intended recipient because it contained a virus. But according to my source at VISI (my ISP) my address was just grabbed – the email did come from me.

So what can you do? Make sure your use have virus protection and that the virus definitions are up to date! I have written a previous Byte on this. And talk to your ISP about what they can do. VISI does filter email at the server level through a filter called Postini. Unfortunately for me they were not filtering my domain name (treacyinfo.com) through the filter – although we changed that this morning. So hopefully soon the messages will be filter before they even reach me.

If you are interested, here is more information on sobig
Symantec Security Response Fact Sheet and Information Week