Sober.N@mm Virus Reads .NSF files?

This morning, the Sober.N@mm virus attempted to infiltrate the Inbox of almost all my users. Being a Domino shop, this type of attack is very rare (non-existent).

Upon doing research, the Symantec & McAfee web sites indicate this virus gathers E-Mail addresses from .nsf files (along with many others). I am therefore concluding one of my users’ computers became infected, and the virus acquired everyone’s E-Mail address from either the Public Address Book, or another one of our Domino applications.

Is my conclusion sound? Can a virus bypass the Lotus Notes security and gather this information? Is this the first virus with this capability, or have I been lucky to not experience this before now.

No damage has been done thanks to perpetually updating virus scanners (server and local machine) … but I am wondering if this is the first of a new breed of viruses that gather data from Notes databases.

David R. Noble

Subject: Sober.N@mm Virus Reads .NSF files ?

David,

If you are reading the same thing as I am on Symantec’s website then you should look at the delivery methods. The virus creates its own SMTP engine and will try to spread via SMTP. What is more then likly is that you have someone using a mail client other then Notes (Hotmail, Yahoo, Outlook, Outlook Express, etc). I have tackled this problem before and used a few tricks to stop it.

1. I created a rule to block the attachment type and the subject line.

2. I changed the internal routing to use NRPC and use SMTP for internet traffic.

3. I used an external service to block the file types as well as the content.

4. I run NAV on the server every night to remove any virus that maybe embedded in the mail database.

So far I have not gone threw an out break in almost 6 months now.