The new Internet worm Sober masquerades as anti-virus software
The Sober worm, first detected this past Saturday, is now surging in activity in connection with the beginning of the workweek.
Sober is a classic Internet worm that spreads via e-mail. Infected e-mail messages can have various body texts in English and in German; additionally the infected file attachment can have one of several file extensions (PIF, BAT, SCR, COM, EXE). All of this makes it significantly more difficult to identify from outside appearances.
Example of a message infected with the Sober:
Subject:
New Sobig-Worm variation (please read)
Message body text:
New Sobig variation in the net.
You must change any settings before the worm control your computer!
But, read the official statement from Norton Anti Virus!
Attachment name:
NAV.pif
If the infected attachment is mistakenly opened the Sober worm is activated and proceeds to display a false error message:
File not complete!
Using different file names, Sober creates three copies of itself in the Windows system directory, and registers these copies in the system registry's auto-run key. Next, the worm launches its spreading routine in which Sober first searches victim computers for files that may contain e-mail addresses (such as HTML, WAB, EML, PST, etc. file types), and then clandestinely, under the guise of the computer owner, sends itself out to the e-mail addresses found.
The worm's body contains text strings in which its author expresses his admiration for the creator of another network worm, Sobig.
The defense against Sober has already been added to the anti-virus databases of reputable anti-virus software vendors. As always, computer users are advised to update their anti-virus software.
The Sober worm, first detected this past Saturday, is now surging in activity in connection with the beginning of the workweek.
Sober is a classic Internet worm that spreads via e-mail. Infected e-mail messages can have various body texts in English and in German; additionally the infected file attachment can have one of several file extensions (PIF, BAT, SCR, COM, EXE). All of this makes it significantly more difficult to identify from outside appearances.
Example of a message infected with the Sober:
Subject:
New Sobig-Worm variation (please read)
Message body text:
New Sobig variation in the net.
You must change any settings before the worm control your computer!
But, read the official statement from Norton Anti Virus!
Attachment name:
NAV.pif
If the infected attachment is mistakenly opened the Sober worm is activated and proceeds to display a false error message:
File not complete!
Using different file names, Sober creates three copies of itself in the Windows system directory, and registers these copies in the system registry's auto-run key. Next, the worm launches its spreading routine in which Sober first searches victim computers for files that may contain e-mail addresses (such as HTML, WAB, EML, PST, etc. file types), and then clandestinely, under the guise of the computer owner, sends itself out to the e-mail addresses found.
The worm's body contains text strings in which its author expresses his admiration for the creator of another network worm, Sobig.
The defense against Sober has already been added to the anti-virus databases of reputable anti-virus software vendors. As always, computer users are advised to update their anti-virus software.
