Sober-A worm pretends to be virus fix

A new mass-mailing worm is in the wild, spreading via some old techniques. Sober-A does have a couple of new twists, though, including a flair for German.

A new bilingual, mass-mailing worm is in the wild and plays off user fears about viruses.

Sober-A is spreading via e-mail on Windows systems; it arrives with German and English subject lines and an attachment that purports to be a fix for a bogus new worm. When executed, the worm searches the infected system for e-mail addresses to mail itself to using its own Simple Mail Transfer Protocol (SMTP) engine.

Helsinki, Finland-based F-Secure Corp. reported "a clear increase in reports of the Sober worm over the weekend," but most other antivirus companies have it listed as a low risk.

Some of Sober-A's subject lines and attachment names play off fears about viruses. Some of the subject lines include: "New internet virus!" "A worm is on your computer!" and "I love you (I'm not a virus!)," while some of the attachment names are Anti-Sob.bat, anti-trojan.exe, AntiVirusDoc.pif and security.pif.

Other subject lines are in German, a ploy that the writer apparently used in hopes of getting the worm to spread beyond the English-speaking world. This isn't the first time that a worm writer employed German and English phrases in a worm. Last May, the Fizzer worm traveled with subject lines and file names in German, Dutch and English.

Some of Sober's progress can be attributed to its use of more than one language. Mass-mailers, for the most part, rely on social engineering to trick unsuspecting computer users into opening the attached malware. "If you are in Korea or Vietnam and get a message in English, you probably won't even be able to read it, so you likely just delete it," said Chris Belthoff, senior security analyst at antivirus software vendor Sophos Inc.

Sober-A will be a minimal threat for enterprises, because most strip or block the file extensions that the worm employs. Generally, businesses have no need to allow e-mails containing executable files such as .pifs and .scrs. Those file types are used extensively by worm writers, and if such files need to be sent, there are other methods to transport them.

"At the end of the day, this is a mass-mailer," Belthoff said. "A user will need to double-click on the attachment to get it to execute."

Sober-A coincides with a comparative lull in malware activity. Observers are still waiting for worms to take advantage of new RPC-DCOM vulnerabilities in Windows announced last month. The flaws are very similar to the one that the Blaster worm exploited in August.

Also, experts are awaiting the next variant of the Sobig worm. The last one, Sobig-F, spread quickly in August, becoming one of the most virulent worms of all time. As with past variants, Sobig-F had an expiration date, so on Sept. 10 it stopped spreading. Experts think the family of worms are being used to create open relays for spammers, so it's just a matter of time before Sobig-G appears.

FEEDBACK: Which worm has been the biggest threat to your enterprise in 2003?
Send your feedback to the SearchSecurity.com news team.

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close