Some 'Sober' on new worm variant

The latest incarnation appears to have legs and a high threat rating from some AV vendors.

A new Sober worm variant is getting traction this morning and is ranked as a high-level threat by some AV vendors.

"A new worm -- W32/Sober-I -- has appeared and it is already a high threat," said Patrick Hinojosa, CTO, Panda Software USA, based in Glendale, Calif. "This is spreading fast, particularly in Europe. It causes serious damage to the registry and it creates its own SMTP engine to resend itself to your address book."

Panda, F-Secure Corp., Trend Micro Inc. and Symantec Corp. are calling the new variant Sober-I, McAfee Inc. calls it Sober-J and Norman Antivirus labels it Sober-H.

According to Panda, "It does not have destructive effects. It spreads via e-mail in a message with variable characteristics." Users of Windows 95, 98, ME, NT, XP, 2000 and 2003 are vulnerable, but will not become infected if they don't run the attached file.

Hinojosa added that the worm is somewhat intelligent. "It goes through the victim's address book and any other source of e-mail addresses and will customize the language it uses by the country of the recipient. Right now we've only seen English and German, but there could be others."

Norman said it has a variable subject line and body text; the attachment is also variable, but is an executable file using .scr, .com, .bat, .pif or .zip extension.

According to Norman's site: "When the worm is executed, it will display a window with an error message. In the background it now creates a number of files in the Windows System directory; most notably two worm files -- these two files can have various names, f.ex. expoler.exe or win32data.exe. Registry keys will be created to start these from bootup." Other files created are:

  • clonzips.ssc
  • clsobern.isc
  • cvqaikxt.apk
  • dgssxy.yoi
  • nonzipsr.noz
  • Odin-Anon.Ger
  • sb2run.dii
  • sysmms32.lla
  • winexerun.dal
  • winmprot.dal
  • winroot64.dal
  • winsend32.dal
  • zippedsr.piz

To mitigate the worm, block .scr, .com, .bat, .pif or .zip extensions at the gateway and update antivirus signatures.

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close