Order / Renew Products Download Support Virusinfo E-Mail Alerts Partners About

28 November 2003
New version of F-Prot Antivirus released
Version 4.3.1 of F-Prot Antivirus for BSD has been released
26 November 2003
New versions of F-Prot Antivirus released
Versions 4.3.2 of F-Prot Antivirus for Solaris SPARC and F-Prot Antivirus for Solaris x86 have been released

26 November 2003
Sysbug.A is a new backdoor trojan
This trojan steals your system configuration information

for Application / Script viruses and Trojans:

for Document / Office / Macro viruses:
 

Why (some) anti-virus companies are to blame for the recent
e-mail flood

As everyone should now know, Sobig.F has generated a tremendous amount of e-mail traffic world-wide. However, part of the blame for this traffic should be placed on some of the anti-virus companies.

What I am referring to is the large number of incorrectly configured mail filters that respond by sending a "virus alert" to the “From:” address. As Sobig.F falsifies the “From:” address, these e-mails just clutter up the mailboxes of innocent, non-infected people. These messages cause unnecessary annoyance and worry, as they typically (and incorrectly) claim that people have sent out a virus.

When you get an e-mail, warning you of a Sobig.F infection, with a subject line similar to these:

  • *** detected and quarantined a virus in a message you sent.
  • Warning: E-mail viruses detected
  • Virus Detected by ***
  • This is an alert from ***

it usually means that someone, somewhere has made a bad decision on how to react to infected mail, either by selecting a substandard product or by configuring it incorrectly.

Worse yet, if mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.

The problem is that some commercial mail filters have this behaviour set as the default. At least one filter gives only two options: Always send a "virus alert" to the "From" address of every infected e-mail received or "pass the message through to the recipient". Clearly neither of these options are acceptable.

I have only one word for this: Stupid!

Acceptable behaviour would be one of the following:

  1. Have the mail filter properly distinguish between worms that falsify the “From:” address and ones that do not and only send a warning message when the “From:” address is likely to be genuine.


  2. Do not send the alerts at all.

In fact, sending an alert automatically to the From: address for every virus or worm received by e-mail should not even be a selectable option.

With Sobig.F scheduled to die out today, Sept. 10th, the problem might go away for a while - until the next similar worm appears. And this is the scary part. Sobig.F didn't really infect that many machines world-wide, maybe only 200.000 or so. This is only a fraction of the number of machines infected by Msblast (Blaster / Lovsan). Now imagine a worm combining the distribution method of Msblast with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.

Eventually, some virus author will create a virus like this, maybe this month, maybe in a few years, but it will happen. And when it does we do not need the anti-virus companies making a bad situation worse.

I hope the "guilty" anti-virus producers will be updating their products in the near future, but this is not going to happen unless their customers request it.

Fridrik Skulason        ( frisk@f-prot.com )
Founder of FRISK Software International




Products for Corporate Users:

F-Prot Antivirus Alert Service
F-Prot AVES E-mail Service
F-Prot Antivirus for Windows
F-Prot Antivirus for Exchange
F-Prot Antivirus for Linux
F-Prot Antivirus for BSD
F-Prot Antivirus for Solaris
F-Prot Antivirus for AIX
F-Prot Antivirus for DOS
Products for Home Users:

F-Prot Antivirus Alert Service
F-Prot Antivirus for Windows
F-Prot Antivirus for Linux
F-Prot Antivirus for BSD
F-Prot Antivirus for DOS
Downloads:

F-Prot Antivirus for Windows
F-Prot Antivirus for Exchange
F-Prot Antivirus for Linux
F-Prot Antivirus for BSD
F-Prot Antivirus for Solaris
F-Prot Antivirus for AIX
F-Prot Antivirus for DOS
Latest Threats:

W32/Mimail.I@mm
W32/Mimail.C@mm
W32/Sober.A@mm
W32/Qhost.A
W32/Swen.A@mm