New Sober Variant Spreading Multilingual Worm
A new worm is wriggling around the Internet. This time it's the latest variant of Sober, which first appeared in October of 2003. The body of the malicious e-mail also has a myriad of possible content ranging from, "Your password was changed successfully!" to "Attachment: No Virus found" among others. Like other mass mailing worms in this family (and others like MyDoom, for example) it contains its own SMTP (define) e-mail engine, which allows it to construct and send outgoing e-mails. The latest Sober variant harvests e-mail addresses from a long list of different types of files on a user's local machine and can use those addresses for both the "Sent to" and "From" fields of outgoing messages. The payload of the worm is user activated and delivered only when the user clicks on the virus-bearing attachment. When clicked, a fake error message is displayed, which may lead users to believe that no malicious activity has occurred, when in fact it has. Like the message generated by the worm, the attachment extensions also vary and may be pif, .scr, .zip or .bat or a combination of extensions.
The new Sober variant is known by different names, depending on the security firm that is reporting it. Symantec labels it W32.SOBER.I@mm. Trend Micro's name is similar to WORM_SOBER.I, and McAfee has dubbed it W32/Sober.j@MM. Like the names it's known by with various security firms, the new worm may also show up under a variety of guises on user's PCs. In spreading, Sober.i adapts its message for German-speaking audiences, inserting a German language version of its pitch message into email addresses belonging to German domains such as those ending in .de for Germany, .ch for Switzerland and .at for Austria, F-Secure said in an advisory. "It appears that the virus originated in Germany," McAfee's Van Oers says. The security firms are reporting a number of different subject lines; Symantec alone has noted over 50 different options. Security firms including Trend Micro, McAfee, Symantec, Panda Software, Sophos and other have all issued patch updates to their anti-virus software tools, which users are encouraged to update immediately. "Although much-publicised virus outbreaks in the past should have made users more nervous of double-clicking on unsolicited e-mail attachments, some still find it hard to resist," Graham Cluley, senior technology consultant at Sophos, said in a statement. "All users should be reminded to follow safe computing guidelines, and PCs should be kept automatically updated with the latest anti-virus protection." Antivirus software is able to remove the worm, he says.