Multiple new Sober variants spy on passwords |
 |
By Bill Brenner, News Writer
16 Nov 2005 | SearchSecurity.com |
|
|
Antivirus firms are tracking several new variants of the prolific Sober worm, warning that these versions drop malicious files onto the machines they infect. Like past variants, these use e-mail attachments to spread.
"We went from Sober-U to Sober-Z about four hours ago," Kaspersky Lab of Russia said on its Web site Tuesday. "These Sobers are pretty much the same [as] before."
The worm drops a file oddly named "not-a-virus:PSWTool.Win32.PassView.162" into the system directory, Kaspersky said. "This tool is used to spy on passwords. Like previous variants, Sober-U uses an exclusive lock to make removal difficult."
Kaspersky said possible e-mail attachments may be under such names as: Exceltab-packed_List.exe, Liste.zip and Reg-List-Dat_Packer2.exe., reg_text.zip Word-Text.zip, Word-Text_packedList.exe and Word-Text_packedList.zip.
Cupertino, Calif.-based Symantec reported the appearance of Sober-S@mm, Sober-W@mm and Sober-T@mm, saying the variants use their own SMTP engine to spread. "It sends itself as an e-mail attachment to addresses gathered from the compromised computer," the firm added.
Finnish antivirus firm F-Secure Corp. said it has raised its alert status to level 2 because of the four Sober variants it has been monitoring. At last check, F-Secure reported Sober-X and Sober-Z as the latest variants.
According to F-Secure, Bavarian police warned it on Monday that a new Sober attack might be launched the following day. The prediction proved accurate, the firm said in its daily lab blog.
"The German police is basing the information on a year-long investigation into the Sober case (the author of the virus is German)," F-Secure said. "They also say they can not provide more details at this time."
|
