Sober-C worm speaks German

A new variant of the Sober worm emerged over the weekend and is spreading, primarily in German-speaking countries.

Antivirus vendor McAfee and e-mail filtering outsourcer MessageLabs Inc. said that 80% of Sober-C infections are coming from Germany. The mass-mailing worm does not carry a destructive payload, and it can send messages in either English or German.

McAfee has rated the worm as a medium risk. Antivirus software vendors Symantec Corp. and F-Secure Corp. each have it as a level 2 risk.

Sober-C is a straightforward mass mailer. It sends copies of itself as an attachment to an e-mail message and attaches with one of the following file extensions: .bat, .cmd, .pif, .scr, .exe and .com.

Administrators are urged to update their antivirus signatures and block the offending file extensions in order to avoid infection. Sober-C attacks systems running Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP.

The worm uses a variety of subject lines, message bodies and attachment names. It searches infected machines for e-mail addresses from a variety of files, including cached Web pages and Microsoft Word documents. If an address contains a domain that may be a German-speaking country, like Germany (.de), Austria (.at), Belgium (.be) or Switzerland (.ch), then the worm mails itself with a message written in German.

The first time the worm executes, users see a bogus error message with the subject "Microsoft" and the text " has caused an unknown error. Stop: 00000010x18".

Bilingual worms are not new. In May, Fizzer-A used German, English and Dutch subject lines and messages to entice people into opening the attached worm. Sober-A also arrived with English or German subject lines and pretended to be a fix for a bogus worm.

The English message text should make most users suspicious, because English doesn't appear to be the creator's first language. Some messages offer free games; others warn recipients that their systems are insecure. Others purport to come from law enforcement agencies investigating software piracy.