A new variant of the prolific Sober worm has gained traction, posing as an FBI message and as pornographic videos of hotel heiress Paris Hilton, several antivirus firms reported.
Most AV vendors have labeled this latest variant Sober-K, though Panda Labs is calling it Sober-M and McAfee is calling it Sober-l@MM. And while its appetite for disruption is nothing compared to last year's Mydoom-A attack, it is spreading rapidly enough to be considered a nuisance, said Alex Shipp, senior AV technologist for New York-based MessageLabs.
"To give you some perspective, we stopped 41,000 copies of Sober-K Monday and 27,000 copies so far [Tuesday]," Shipp said. "With last year's Mydoom-A attack, we stopped 50,000 copies in the first hour."
The FBI issued a statement warning users not to click on unsolicited e-mails claiming to come from @fbi.gov addresses.
"These e-mails did not come from the FBI," the statement said. "Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner."
Finnish security firm F-Secure said Sober-K appears to be the source of these messages, which read:
We have logged your IP-address on more than 40 illegal Websites.
Important: Please answer our questions! The list of questions are attached.
M. John Stellford
++-++ Federal Bureau of Investigation -FBI-
++-++ 935 Pennsylvania Avenue, NW, Room 2130
++-++ (202) 324-3000
Sober-K's Paris Hilton messages carry such subject lines as "Paris Hilton, pure!" and "Paris Hilton SexVideos," Lynnfield, Mass.-based Sophos said in an alert. It tries to determine whether its intended victim speaks German or English, then sends a message in either language. As of Tuesday, Sophos said it was the third most commonly encountered worm, amounting to more than 10% of all worms and viruses reported to the firm's global network of monitoring stations in the last 24 hours.
"This latest variant of the Sober worm may catch out the unwary as they open their e-mail inbox," Graham Cluley, Sophos' senior technology consultant, said in a statement. "Although much-publicized virus outbreaks in the past should have made users more nervous of double-clicking on unsolicited e-mail attachments, some still find it hard to resist. All users should be reminded to follow safe computing guidelines, and PCs should be kept automatically updated with the latest anti-virus protection."
Shipp said Sober-K is spreading mostly in Europe, and that it quickly gained traction there Monday morning as people were turning their computers on at the start of the work day. "Historically, Sober tends to spread quite well in Europe, but by the time it travels to other countries most antivirus has been updated to stop it."
One reason folks might fall for opening this one: Hilton, who's image is plastered all over entertainment TV shows and magazines, does have a pornographic home movie circulating. One of the socialite's former lovers videotaped a tryst and then decided to distribute it for a fee.