Sober-C worm speaks German

Article

Sober-C worm speaks German

A new variant of the Sober worm emerged over the weekend and is spreading, primarily in German-speaking countries.

Antivirus vendor McAfee and e-mail filtering outsourcer MessageLabs Inc.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

said that 80% of Sober-C infections are coming from Germany. The mass-mailing worm does not carry a destructive payload, and it can send messages in either English or German.

McAfee has rated the worm as a medium risk. Antivirus software vendors Symantec Corp. and F-Secure Corp. each have it as a level 2 risk.

Sober-C is a straightforward mass mailer. It sends copies of itself as an attachment to an e-mail message and attaches with one of the following file extensions: .bat, .cmd, .pif, .scr, .exe and .com.

Administrators are urged to update their antivirus signatures and block the offending file extensions in order to avoid infection. Sober-C attacks systems running Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP.

The worm uses a variety of subject lines, message bodies and attachment names. It searches infected machines for e-mail addresses from a variety of files, including cached Web pages and Microsoft Word documents. If an address contains a domain that may be a German-speaking country, like Germany (.de), Austria (.at), Belgium (.be) or Switzerland (.ch), then the worm mails itself with a message written in German.

The first time the worm executes, users see a bogus error message with the subject "Microsoft" and the text " has caused an unknown error. Stop: 00000010x18".

Bilingual worms are not new. In May, Fizzer-A used German, English and Dutch subject lines and messages to entice people into opening the attached worm. Sober-A also arrived with English or German subject lines and pretended to be a fix for a bogus worm.

The English message text should make most users suspicious, because English doesn't appear to be the creator's first language. Some messages offer free games; others warn recipients that their systems are insecure. Others purport to come from law enforcement agencies investigating software piracy.