Article

A Sobering return from the holiday weekend

Bill Brenner

IT administrators will want to be on guard as employees fire up their computers after a four-day holiday break. AV firms have spent the last few days monitoring a significant spike in traffic from multiple variants of Sober, Bagle and Mitglieder.

Sober has gotten the most attention since going on a tear last week.

    Requires Free Membership to View

New variants of the worm gained traction by duping people with either fake messages from the FBI and CIA, or a promise to display new photos and videos of "Simple Life" stars Paris Hilton and Nicole Richie. UK-based AV firm Sophos singled out Sober-Z as the biggest offender, noting on its Web site this morning that the worm now accounts for more than 85% of all virus reports it has received.

"Accounting for a staggering one in 14 of all e-mails traveling across the Internet, the Sober-Z worm sends itself as an e-mail attachment and attempts to turn off security software on the user's computer," Sophos said. In addition to the fake messages from the FBI and CIA, infected e-mails look like these:

From: (Harvested address)
Subject: hi, ive a new mail address
Message text: hey its me, my old address dont work at time. i dont know why?! in the last days ive got some mails. i' think thaz your mails but im not sure! plz read and check ... cyaaaaaaa.
Attachment: mailtext.zip

More on Sober

Read our exclusive: Sober exploits fear of government, lust for Paris Hilton

Learn about Sober variants that spy on passwords

From: (Harvested address)
Subject: Paris_Hilton_&_Nicole_Richie
Message text: The Simple Life: View Paris Hilton & Nicole Richie video clips , pictures & more ;) Download is free until Jan, 2006! Please use our Download manager.
Attachment: downloadm.zip

Meanwhile, AV firms Kaspersky Lab of Russia and F-Secure Corp. of Finland have been monitoring new variants of Bagle, which have been spreading as a worm and a Trojan horse. At last count, Kaspersky had intercepted 12 programs created by Bagle's authors: five Trojans, labeled Trojan.Downloader.Win32.Bagle-D through -H, and seven worms, labeled Bagle-EO through -EU.

"All of this activity is with the aim of finding new machines to infect to keep the Bagle botnet running," Kaspersky Lab said on its blog.

Finally, PandaLabs, a unit of Glendale, Calif.-based Panda Software, has reported a surge in traffic from the Mitglieder Trojan.

"The number of infections caused by the Mitglieder-GB Trojan continues to increase, and it now affects computers around the globe," PandaLabs said in an e-mailed alert. "According to data collected by PandaLabs, Belgium, Poland, Colombia and Portugal are the countries most affected by this threat…"

While these AV firms consider the increase in malicious traffic significant, Cupertino, Calif.-based AV giant Symantec Corp. has kept its ThreatCon at Level 1, meaning that "there is no discernible network incident activity and no malicious code activity with a moderate or severe risk rating." Under these conditions, Symantec said, "only a routine security posture designed to defeat normal network threats is warranted."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: