A recently discovered variant of the infamous Sober worm gone wild on this Monday and Tuesday. According to reputable Internet security experts the new parasite has already infected thousands of computers worldwide and caused this year’s largest epidemic, which vast scale surprised analysts and virus researchers. MessageLabs, one of the leading providers of e-mail messaging security software and services, reported it had already stopped over three millions of Sober e-mails. Symantec said that it has received almost 2,000 reports from customers who were attacked by the worm during the past few days. Other antivirus vendors also keep receiving user notifications. Today, thanks to updated virus definitions and the impending Thanksgiving holiday in the United States, the infection rate noticeably slowed down, but it is far from being stalled.
Sober.x – it is the worm’s name, together with few minor parasite variants send out e-mail messages based on social engineering techniques tricking users into running infected files attached to letters. Some messages deceitfully offer images or videos of two celebrities – Paris Hilton and Nicole Richie, some contain fake old-fashioned requests to confirm certain registration or warnings alerting of account and mail delivery problems. However, the most interesting and unusual ones look like authentic e-mails sent by FBI or CIA. These messages appeared to be sent from genuine, but actually spoofed addresses like mailfbi.gov or postfbi.gov, accuse the recipients of visiting more than 30 illegal web sites and ask to answer certain questions included in attached files. These files are regular Zip archives containing copies of the parasite. Once the Sober’s victim unpacks such an archive and executes an infected file, the worm displays a fake error message, installs itself to the system and runs a spreading routine. Other worm variants are installed in the same way.
Sober.x is targeted not only on English-speaking users, but also on Germans. The worm sends messages with very similar content as in English letters. The major difference is that e-mails come from spoofed .de addresses and there are no FBI and CIA variants. Victims receive quite similar accusations, but this time purportedly from BKA, the German federal police.
The worm does not have much of a payload, as it is designed only to spread. Nevertheless, its activity may cause system instability and degrade Internet connection throughput. Furthermore, some virus experts say that certain Sober variants can be instructed by the author to simultaneously send out millions of malicious e-mails. Few others claim that the worm’s author can even steal user confidential information and sell it to third parties.
Fortunately, the Sober infection can be quite easily avoided. One just shouldn’t open unknown e-mail attachments and run any files they contain. Users also shouldn’t believe in all those FBI and CIA accusations, as both the bureau and agency never send such kind of messages and have already published alerts on their official web sites. It also must be noted that only users themselves can prevent the infection. According to the SANS Institute, even the most advanced antivirus software sometimes cannot detect the threat:
Antivirus software does not provide any reliable protection against current threats.
Viruses like Sober tend to change every few hours well in advance of AV signature updates. The fact that an attachment did not get marked is no indication that it is harmless.