Internet Worm Sober Returns

20 Dec 2003
Virus News

Kaspersky Lab, a leading international information security software developer warns all computer users that a new modification of Sober has been detected - Sober.c. We have received a number of reports of computers infected by this malicious program. The Sober family belongs to the Internet worm class of malware; being a malicious program that spreads via email. This latest modification is the third version since the original Sober was detected on 27 October 2003. It is highly probable that this version, like its predecessors was also created in Germany. Sober.c has extended functionalities and better camouflage techniques than the earlier version. Like the earlier versions, Sober.c attempts to penetrate computers by means of infected email messages. The letters have different body texts (in English and in German) and different names for the attachments. A sample email may contain the following: Subject: Why me? Body Text: You say in the www. that i'm a terrorist!!!
No way out for you. I REPORT YOU !
You've said THAT about me
Attachment name: It is vital to be aware that the infected attachments have different extensions including bat, cmd, pif and scr. Kaspersky Lab would like to stress that all all of these files may contain malicious code and require thorough anti-virus scanning before opening. If a user does open the attachment by mistake, Sober.c will launch a fake error message and initiate installation routines. Sober.c creates three copies of itself in the Windows directory with randomly selected names and registers them in the system registry auto-run keys. Thus, the worm ensures that it will be activated every time the computer is rebooted. Sober.c then initiates its propagation routine. The worm first scans the local disk for files with specific extensions (HTML, WAB, EML and others) and searches for email addresses. The malicious program then sends all of these addresses infected email messages unbeknownst to the user via an SMTP engine. "At this time we have registered only scattered infections by Sober.c", commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab, "However, experience has shown that Sober outbreaks peak at the beginning of the work week, when users start reading email received over the weekend. In order to spare yourself trouble this week and have a merry Christmas, we strongly recommend that users worldwide begin their work week by updating their anti-virus databases and scanning their hard drives." Kaspersky® Anti-Virus databases have already been updated with protection against Sober.c. A detailed description of the worm is available in the Kaspersky Virus Encyclopedia.