Large number of new Sober clones pose a threat to users

15 Nov 2005
Virus News

Kaspersky Lab analysts warn that three new email worm variants active

Kaspersky Lab, a leading developer of secure content solutions that protect against viruses, Trojans, worms, hacker attacks and spam, announces that the company's virus analysts have detected three new variants of Email-Worm.Win32.Sober - Sober.u, Sober.v, and Sober.w. The three worms are modifications of the same program which has been repacked. A large number of samples have been intercepted in mail traffic, which confirms that the epidemic was caused by mass spamming of infected messages.

The new variants of Sober arrive as an attachment to infected messages. The attachment, which contains the body of the worm, is approximately 130KB in size. Although infected messages either have a random subject and text, or no subject or text at all, they can be recognized by the attachment name.

The attachment names are chosen from the following list:

  • Exceltab-packed_List.exe
  • Liste.zip
  • Reg-List-Dat_Packer2.exe
  • reg_text.zip
  • Word-Text.zip
  • Word-Text_packedList.exe
  • Word-Text_packedList.zip

The worm is only activated if the recipient clicks on the attachment. Once launched, the worm causes a false error message, “WinZip Self-Extractor. WinZip_Data_Module is missing ~Error”, to be displayed on screen.

The new variants of Sober copy themselves to the Windows system directory, and then register these files in the system registry, ensuring that a copy of the worm will be launched each time Windows is rebooted on the infected machine. In order to propagate, the worm sends itself to email addresses harvested from the victim machine.

Users are encouraged to be cautious, and not to open suspicious email or attachments.

The Kaspersky® Anti-Virus databases have been updated with detection for Sober.u, Sober.v, and Sober.w. Kaspersky Lab urges users to update their antivirus databases as soon as possible. Further information about the new Sober variants will be available in the Kaspersky Virus Encyclopaedia.

About Kaspersky Lab

Kaspersky Lab (www.kaspersky.com) develops, produces and distributes secure content management solutions that protect customers from IT threats. Kaspersky Lab's products protect both home users and corporate networks from viruses, spyware, adware, Trojans, worms, hackers and spam. For many years now, the company has waged a battle against malicious programs, and in doing so has gained unique knowledge and skills that have resulted in Kaspersky Lab becoming a technology leader and acknowledged expert in the development of secure content management solutions. Today, Kaspersky Lab's products protect more than 200 million users worldwide and its technology is licensed by leading security vendors globally. To find out more about Kaspersky Lab, visit www.kaspersky.com.