IT administrators will want to be on guard as employees fire up their computers after a four-day holiday break. AV firms have spent the last few days monitoring a significant spike in traffic from multiple variants of Sober, Bagle and Mitglieder.
Sober has gotten the most attention since going on a tear last week. New variants of the worm gained traction by duping people with either fake messages from the FBI and CIA, or a promise to display new photos and videos of "Simple Life" stars Paris Hilton and Nicole Richie. UK-based AV firm Sophos singled out Sober-Z as the biggest offender, noting on its Web site this morning that the worm now accounts for more than 85% of all virus reports it has received.
"Accounting for a staggering one in 14 of all e-mails traveling across the Internet, the Sober-Z worm sends itself as an e-mail attachment and attempts to turn off security software on the user's computer," Sophos said. In addition to the fake messages from the FBI and CIA, infected e-mails look like these:
From: (Harvested address)
Subject: hi, ive a new mail address
Message text: hey its me, my old address dont work at time. i dont know why?! in the last days ive got some mails. i' think thaz your mails but im not sure! plz read and check ... cyaaaaaaa.
Message text: The Simple Life: View Paris Hilton & Nicole Richie video clips , pictures & more ;) Download is free until Jan, 2006! Please use our Download manager.
Meanwhile, AV firms Kaspersky Lab of Russia and F-Secure Corp. of Finland have been monitoring new variants of Bagle, which have been spreading as a worm and a Trojan horse. At last count, Kaspersky had intercepted 12 programs created by Bagle's authors: five Trojans, labeled Trojan.Downloader.Win32.Bagle-D through -H, and seven worms, labeled Bagle-EO through -EU.
Finally, PandaLabs, a unit of Glendale, Calif.-based Panda Software, has reported a surge in traffic from the Mitglieder Trojan.
"The number of infections caused by the Mitglieder-GB Trojan continues to increase, and it now affects computers around the globe," PandaLabs said in an e-mailed alert. "According to data collected by PandaLabs, Belgium, Poland, Colombia and Portugal are the countries most affected by this threat…"
While these AV firms consider the increase in malicious traffic significant, Cupertino, Calif.-based AV giant Symantec Corp. has kept its ThreatCon at Level 1, meaning that "there is no discernible network incident activity and no malicious code activity with a moderate or severe risk rating." Under these conditions, Symantec said, "only a routine security posture designed to defeat normal network threats is warranted."