RSSNew Sober Worm Begins to Spread
By Ed Oswald | Published May 3, 2005, 12:07 PM
The latest incarnation of the Sober worm is making its way across the Internet, prompting security firm McAfee to call the Sober.p variant a "medium risk" worm. This version attempts to prey on World Cup fans by offering tickets to the 2006 games in Germany. Both German and English versions of the worm have been found.
As with previous Sober versions, the e-mail comes with a zipped attachment that contains the infected file. Like with most worms, it requires the file to be executed in order for a computer to become infected. McAfee said that users of its VirusScan software have been protected from this threat since March of this year.
I manage 3 Trend Micro IMSS servers where I work. We went from seeing 2,000 viruses a day getting stopped to 26,000 getting stopped in less then 24hrs just from this virus. The nice thing is NOTHING got in and there are no infections in our network. I expected a few but it is nice to know that your software works when you need it most. :-)
Score: 0
|the head of our IT dept. got his own personal computer infected with this ... he was running around the office, checking every computer, trying to find a computer named his first name. hehe: incompetence.
Score: 0
|I was just thinking that it had been some time since someone sent me a virus by email. But today I got 10 emails with Sober infected attachments.
I'm not a soccer fan. Obviously this worm is spreading beyond that audience. Norton AV 2005 seems to block it.
Score: 0
|I didn't realize we still had any of those left, here in the US. Damn disappointment, I'd say.
Go get 'em worm!
Score: 0
|Targetting soccer fans... that's just wrong. That scumbag needs to be brought to justice lol.
This is apparently also the reason for the latest Stinger release being renamed to st1nger.exe.
Score: 0
|Sober uses the up and coming world cup for 2 reasons.
1: Social engineering
Football is the worlds most popular sport and football fans are passionate about the game so it is easier to arouse their interest in a football orientated email. The massive size of the football audience makes it an attractive target for the worms author.
2: Sober's author is German and since the next worldcup is to be held in Germany it's a topic of current affairs. The worm has always sent out emails in two langauges, English and German depending on the recipients domain. For exmaple gmx.de domains will receive an emailed copy of the worm with German text.
P.S. The reason McAfee's Stinger tool was renamed st1nger is due to the fact that the worm is programmed to terminate processes with the word 'stinger' in them. This of course would prevent disinfection using McAfee's stinger utility. It also uses file locking techniques to prevent tampering with the worm making disinfection a little bit more difficult.
Regards, Ian Kenefick
http://www.ik-cs.com
Score: 0
|