New Virus 'Sobers' Up The Internet

KingFishKingFish
edited November 2004 in Science & Tech
A new worm is wriggling around the Internet. This time it's the latest variant of Sober, which first appeared in October of 2003.
The body of the malicious e-mail also has a myriad of possible content ranging from, "Your password was changed successfully!" to "Attachment: No Virus found" among others. Like other mass mailing worms in this family (and others like MyDoom, for example) it contains its own SMTP (define) e-mail engine, which allows it to construct and send outgoing e-mails.

The latest Sober variant harvests e-mail addresses from a long list of different types of files on a user's local machine and can use those addresses for both the "Sent to" and "From" fields of outgoing messages.

The payload of the worm is user activated and delivered only when the user clicks on the virus-bearing attachment. When clicked, a fake error message is displayed, which may lead users to believe that no malicious activity has occurred, when in fact it has. Like the message generated by the worm, the attachment extensions also vary and may be pif, .scr, .zip or .bat or a combination of extensions.

The new Sober variant is known by different names, depending on the security firm that is reporting it.

Symantec labels it W32.SOBER.I@mm. Trend Micro's name is similar to WORM_SOBER.I, and McAfee has dubbed it W32/Sober.j@MM.
yay! another worm.... -KF

Source: InternetNews

Comments

  • DanGDanG I AM CANADIAN Icrontian
    edited November 2004
    Thankfully I got the updated def's installed at work before it started hitting, and NAV corp blocked about 400 copies of this one yesterday.
    It's probably going to rank right up there Netsky, as far as daily occurances go.
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited November 2004
    Other AV mfr's label this virus variant as a W32\Clonz.a@mm viral, also.
Sign In or Register to comment.