New Sober variant in the wild

Article

New Sober variant in the wild

Several antivirus firms have spotted a new variant of the Sober worm in the wild, hiding in e-mails with English and German text.

According to Cupertino, Calif.-based Symantec, W32.Sober-J is a mass-mailer that uses its own SMTP engine to send itself to e-mail addresses it gathers from the computers it infects. "The subject of the e-mail varies and is in either English or German," the company said in its advisory. "The e-mail sender address is spoofed. The name of the e-mail attachment varies, and it has a .bat, .com, .pif, .scr or .zip file extension. The attachment may also have a double extension. This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX."

Finnish security firm F-Secure Corp. said Sober-J was seeded in e-mails Jan. 31 and is "quite similar to the previous variants." While most AV companies consider it a low risk, Santa Clara, Calif.-based McAfee said it has seen enough activity to issue a medium-threat alert.

What it looks like
If the worm sends infected messages to domains with suffixes ".de," ".ch," or ".at," it composes a message in German. Otherwise, an English message is made.

In English, the subject line is: I've got YOUR email on my account!!

The body of the e-mail reads: "Hello, First, Sorry for my very bad English! Someone send your private mails on my email account! I think it's an Mail-Provider or SMTP error. Normally, I delete such emails immediately, but

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

in the mail-text is a name & address. I think it's your name and address. The sender of this mails is in the text file, too. In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. Lol. OK, I've copied all email text in the Windows Text-Editor and i've zipped the text file with WinZip. Bye." The attached file is either "email_text.zip" or "text.zip."

E-mail addresses are harvested from files with the following extensions on the victim's machines: abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; phtm; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; and xml.