[an error occurred while processing this directive]

Stop Sobig Mass-Mailing Worm Before It Hits GroupWise
GroupWise Cool Solutions Article
by The Messaging Architects

Posted: 21 August 2003

What is W32.Sobig and how does it affect me? For those of you being hit by the Sobig-F worm, you can easily defend your GroupWise servers using GWGuardian. If you do not currently own GWGuardian+AV, you can download a fully functional trial copy at http://www.messagingarchitects.com/gwguardianee.

The Sobig worm has made an unwelcome return in the form of its latest variant, W32/Sobig-F. The mass-mailing, network-aware worm can spread via email and network shares. W32/Sobig-F attempts to spread by copying itself to Windows network shares and uses the Network Time Protocol to one of several servers in order to determine the current date and time.

What action can I take from here?

Protocol Filtering
While Sobig-F has quickly become one of the most successful viruses of all time, it can be easily also defeated with GWGuardian in several ways. First add a protocol filter to block out the subject lines listed below. GWGuardian's protocol filter analyzes the message header content and rejects suspicious email messages even before it is accepted by GWIA.

Subject line:

  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Re: Approved
  • Re: Re: My details
  • Re: Details
  • Your details
  • Thank you!

Attachment Blocks
Another method is by setting just two simple yet effective attachment blocks. GWGuardian will block any message containing either of the file types below... Sobig-F may appear as a variety of file names, but will always use one of these two extensions.


If you are running GroupWise 5.5, 6.0, 6.5 or even Notes, Exchange and Netmail GWGuardian will prevent Sobig-F from even reaching your mail server.

GWGuardian also includes many more features including 8 levels of anti-spam & anti-virus protection. Find out why so many enterprises and government organizations chose GWGuardian and to download a trial version, please visit us at http://www.messagingarchitects.com/gwguardianee.

Security Response Team
The Messaging Architects