Several antivirus firms have spotted a new variant of the Sober worm in the wild, hiding in e-mails with English...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
and German text.
According to Cupertino, Calif.-based Symantec, W32.Sober-J is a mass-mailer that uses its own SMTP engine to send itself to e-mail addresses it gathers from the computers it infects. "The subject of the e-mail varies and is in either English or German," the company said in its advisory. "The e-mail sender address is spoofed. The name of the e-mail attachment varies, and it has a .bat, .com, .pif, .scr or .zip file extension. The attachment may also have a double extension. This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX."
Finnish security firm F-Secure Corp. said Sober-J was seeded in e-mails Jan. 31 and is "quite similar to the previous variants." While most AV companies consider it a low risk, Santa Clara, Calif.-based McAfee said it has seen enough activity to issue a medium-threat alert.
What it looks like
If the worm sends infected messages to domains with suffixes ".de," ".ch," or ".at," it composes a message in German. Otherwise, an English message is made.
In English, the subject line is: I've got YOUR email on my account!!
The body of the e-mail reads: "Hello, First, Sorry for my very bad English! Someone send your private mails on my email account! I think it's an Mail-Provider or SMTP error. Normally, I delete such emails immediately, but in the mail-text is a name & address. I think it's your name and address. The sender of this mails is in the text file, too. In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. Lol. OK, I've copied all email text in the Windows Text-Editor and i've zipped the text file with WinZip. Bye." The attached file is either "email_text.zip" or "text.zip."
E-mail addresses are harvested from files with the following extensions on the victim's machines: abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; phtm; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; and xml.