Warning: fake Sophos IDE update malware

We don’t have a great many details on this yet, but we’ve had limited reports of malware sent out claiming to be a security update for Sophos.

This is being sent out in email, with the subject: “Update your SOPHOS IDE scanner”.  Attached to the email is a .rar file – or rather, an EXE file pretending to be a rar file.  At this time, the filename was “SOPHOS IDE scanner.rar”.  Please don’t run it – it will attempt to install malware on your system.  Sophos updates should be obtained via the auto-update function of Sophos Anti-Virus, or by visiting http://www.sophos.com/downloads/ide/ – we never send identity data (IDEs) via email.

The body of the email looks like this:

“Download latest virus identity (IDE) files

If you are running an older version of Sophos Anti-Virus and do not automatically update your protection, you should download virus identity files (IDEs), which provide detection and disinfection of viruses, worms, Trojans and spyware.

All the IDEs you need are available in a single compressed file. NOTE: Please RUN the application accordingly.”

Note that this has been copied from the genuine Sophos download page and slightly altered, to give an air of authenticity.

It’s quite possible this is targetted at existing Sophos customers, but the payload will do bad things to anyone who runs it.  If you’re sent one of these emails, please let us know, as this is quite recent and we’re not sure how widespread it is yet.

Sophos customers with HIPS enabled were protected from this new threat even before we had seen it.  The malicious payload of the email is now detected as Troj/Spoof-H, published in spoof-h.ide.