I saw the SoBig.F coming, I braced for it, I prepared, I laughed when the IT recruiting company on the same floor as my favorite client was over-run by the virus, I mean, they are an IT company... “maybe they should call one of the numbers on one of those resumes they have... tell them we can fix it” I joked.
And then my client's office began getting bounced messages, the first sign of a virus...
It is so simple and so hard to stop things like this. People see familiar email addresses and click the attachments; that is what we all do 90% of the time. Some of us do it 100% of the time. No matter how many security alerts and patches we put out and install, nothing will stop that open & click habit that is the complete cause for the spread of the current version of SoBig.
If you polled everyone who opened the SoBig.F attachment this week and asked them what a “.pif” file was, I bet a dollar to a doughnut that 100% of them would say “I don't know” yet most of them opened it anyway. The ones that didn't open a *.pif file opened some other attachment that they will say they don't recognize.
THAT is what IT must overcome: those who run full steam ahead without bothering to pause or read or think, those who will raise holy Hades when they see an attachment has been blocked by Outlook, not caring that it is for not only their own good but the good of everyone around them.
It is the classic “rights vs. freedoms” argument, but I think the answer is clear in this case: lock it down too tight by default but allow the user to turn off restrictions in extremely small steps. This means those who have no clue will be safe and those that have a clue and care can simply turn off the restrictions they don't like. The only argument to this I can imagine is “but Mr. X can't open .exe files in his email!”. My response is that if Mr. X can't turn off that feature then Mr. X is not skilled enough to be trusted with the right to open .exe files in his email.
Sobig hit days ago and I have yet to recieve a single copy. I feel so left out.