New version of Sober circulating

06 Jan 2006
Virus News

Kaspersky Lab, a leading developer of secure content management solutions that protect against viruses, Trojans, worms, spyware, hacker attacks and spam, has detected a new version of Sober, [insert name]. It was downloaded to machines which had been infected by Email-Worm.Win32.Sober.y] and is based on the Sober source code. However, it is unable to replicate independently; it sends [political] spam, rather than a copy of itself, to addresses harvested from the victim machine.

Sober [insert variant name] copies itself to the Windows system directory, and modifies the system registry so that the worm will be launched each time Windows is rebooted on the victim machine. It also drops a number of other files to the infected system. Sober sends spam to all email addresses harvested from the victim machine, except for addresses which appear to belong to antivirus vendors and software developers.

Rather than replicating, Sober sends spam in both German and English. German language messages are sent to recipients in .de, .ch, .at, .li, and .gmx domains. The messages contain right wing texts, and links to right wing sites. All other recipients receive messages in English - however, the contents are still politically right wing. The worm contains several dozen possible message versions. Although the sites contain material which may be offensive to readers, all the addresses are genuine, and there is no malware on these sites which could infect a machine being used to view the sites.

The worm will also terminate system processes connected with antivirus applications and firewalls.

An urgent update containing detection for Sober has already been released. Further details of the worm are available in the Kaspersky Virus Encyclopaedia. [add link]