IT administrators will want to be on guard as employees fire up their computers after a four-day holiday break. AV firms have spent the last few days monitoring a significant spike in traffic from multiple variants of Sober, Bagle and Mitglieder.
Sober has gotten the most attention since going on a tear last week.
"Accounting for a staggering one in 14 of all e-mails traveling across the Internet, the Sober-Z worm sends itself as an e-mail attachment and attempts to turn off security software on the user's computer," Sophos said. In addition to the fake messages from the FBI and CIA, infected e-mails look like these:
From: (Harvested address)
Subject: hi, ive a new mail address
Message text: hey its me, my old address dont work at time. i dont know why?! in the last days ive got some mails. i' think thaz your mails but im not sure! plz read and check ... cyaaaaaaa.
Message text: The Simple Life: View Paris Hilton & Nicole Richie video clips , pictures & more ;) Download is free until Jan, 2006! Please use our Download manager.
Meanwhile, AV firms Kaspersky Lab of Russia and F-Secure Corp. of Finland have been monitoring new variants of Bagle, which have been spreading as a worm and a Trojan horse. At last count, Kaspersky had intercepted 12 programs created by Bagle's authors: five Trojans, labeled Trojan.Downloader.Win32.Bagle-D through -H, and seven worms, labeled Bagle-EO through -EU.
Finally, PandaLabs, a unit of Glendale, Calif.-based Panda Software, has reported a surge in traffic from the Mitglieder Trojan.
"The number of infections caused by the Mitglieder-GB Trojan continues to increase, and it now affects computers around the globe," PandaLabs said in an e-mailed alert. "According to data collected by PandaLabs, Belgium, Poland, Colombia and Portugal are the countries most affected by this threat…"
While these AV firms consider the increase in malicious traffic significant, Cupertino, Calif.-based AV giant Symantec Corp. has kept its ThreatCon at Level 1, meaning that "there is no discernible network incident activity and no malicious code activity with a moderate or severe risk rating." Under these conditions, Symantec said, "only a routine security posture designed to defeat normal network threats is warranted."