Some 'Sober' on new worm variant

Article

Some 'Sober' on new worm variant

Shawna McAlearney, News Editor

A new Sober worm variant is getting traction this morning and is ranked as a high-level threat by some AV vendors.

"A new worm -- W32/Sober-I -- has appeared and it is already a high threat," said Patrick Hinojosa, CTO, Panda Software USA, based in Glendale, Calif. "This is spreading fast, particularly in Europe. It causes serious damage to the registry and it creates its own SMTP engine to resend itself to your address book."

Panda, F-Secure Corp., Trend Micro Inc. and Symantec Corp. are calling the new variant Sober-I, McAfee Inc. calls it Sober-J and Norman Antivirus labels it Sober-H.

According to Panda, "It does not have destructive effects. It spreads via e-mail in a message with variable characteristics." Users of Windows 95, 98, ME, NT, XP, 2000 and 2003 are vulnerable, but will not become infected if they don't run the attached file.

Hinojosa added that the worm is somewhat intelligent. "It goes through the victim's address book and any other source of e-mail addresses and will customize the language it uses by the country of the recipient. Right now we've only seen English and German, but there could be others."

Norman said it has a variable subject line and body text; the attachment is also variable, but is an executable file using .scr, .com, .bat, .pif or .zip extension.

According to Norman's site: "When the worm is executed, it will display a window with an error message. In the background it now creates a number of files in the Windows

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

System directory; most notably two worm files -- these two files can have various names, f.ex. expoler.exe or win32data.exe. Registry keys will be created to start these from bootup." Other files created are:
  • clonzips.ssc
  • clsobern.isc
  • cvqaikxt.apk
  • dgssxy.yoi
  • nonzipsr.noz
  • Odin-Anon.Ger
  • sb2run.dii
  • sysmms32.lla
  • winexerun.dal
  • winmprot.dal
  • winroot64.dal
  • winsend32.dal
  • zippedsr.piz

To mitigate the worm, block .scr, .com, .bat, .pif or .zip extensions at the gateway and update antivirus signatures.