Article

New Sober variant in the wild

Bill Brenner

Several antivirus firms have spotted a new variant of the Sober worm in the wild, hiding in e-mails with English and German text.

According to Cupertino, Calif.-based Symantec, W32.Sober-J is a mass-mailer that uses its own SMTP engine to send itself to e-mail addresses it gathers from the computers it infects. "The subject of the e-mail varies and is in either English or German," the company said in its advisory. "The e-mail sender address is spoofed. The name of the e-mail attachment varies, and it has a .bat, .com, .pif, .scr or .zip file extension. The attachment may also have a double extension. This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX."

Finnish security firm F-Secure Corp. said Sober-J was seeded in e-mails Jan. 31 and is "quite similar to the previous variants." While most AV companies consider it a low risk, Santa Clara, Calif.-based McAfee said it has seen enough activity to issue a medium-threat alert.

What it looks like
If the worm sends infected messages to domains with suffixes ".de," ".ch," or ".at," it composes a message in German. Otherwise, an English message is made.

In English, the subject line is: I've got YOUR email on my account!!

The body of the e-mail reads: "Hello, First, Sorry for my very bad English! Someone send your private mails on my email account! I think it's an Mail-Provider or SMTP error. Normally, I delete such emails immediately, but

    Requires Free Membership to View

in the mail-text is a name & address. I think it's your name and address. The sender of this mails is in the text file, too. In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. Lol. OK, I've copied all email text in the Windows Text-Editor and i've zipped the text file with WinZip. Bye." The attached file is either "email_text.zip" or "text.zip."

E-mail addresses are harvested from files with the following extensions on the victim's machines: abc; abd; abx; adb; ade; adp; adr; asp; bak; bas; cfg; cgi; cls; cms; csv; ctl; dbx; dhtm; doc; dsp; dsw; eml; fdb; frm; hlp; imb; imh; imh; imm; inbox; ini; jsp; ldb; ldif; log; mbx; mda; mdb; mde; mdw; mdx; mht; mmf; msg; nab; nch; nfo; nsf; nws; ods; oft; php; phtm; pl; pmr; pp; ppt; pst; rtf; shtml; slk; sln; stm; tbb; txt; uin; vap; vbs; vcf; wab; wsh; xhtml; xls; and xml.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: