Auld Lang Slime

I.T. security pros may hoist a cup of eggnog this holiday season to an early gift they got this month: an E-mail worm attack with a delivery date. Businesses rarely get the advance warning they did when security researchers VeriSign iDefense and F-Secure Corp. concluded that the next variant of the Sober worm likely would strike Jan. 5, based on code embedded in the worm. But will notice help?

Companies can take steps like making sure antivirus software signatures are up to date and keeping a careful eye on E-mail activity around Jan. 5, since any variant of Sober will spread using its own SMTP engine to send copies of itself over port 25. Companies with desktop firewalls can lock down outbound traffic from PCs trying to communicate with outside servers that way, senior Yankee Group analyst Andrew Jaquith says.

But Sober keeps finding security holes, so advanced notice might not be enough to stop an outbreak. The first Sober was found in 2003; it has spawned 25 variants, and Sober.y was this year's worst worm, F-Secure says. Plus, it's possible the Jan. 5 clues are part of a disinformation campaign by the worm's creator.

So eggnog might be a good idea, but keep a pager handy.