New Sober variant spreading

News

New Sober variant spreading

A new version of the Sober e-mail worm started spreading in Europe on Friday, according to antivirus suppliers, which have given the worm a mid-level threat rating.

Marius van Oers, an Amsterdam-based antivirus research engineer at McAfee, said the worm had spread to North America by the end of the day and was propagating there as well.

The Sober variant is called Sober.j by McAfee and Sober.i by F-Secure and Kaspersky Labs. This original worm first appeared in October last year.

The new worm sends itself as an attachment to German and English e-mail messages. Infected messages have various subjects and body texts. The worm is not activated until the recipient opens the attachment.

Once opened, a fake error message is displayed and the worm creates two files in the Windows directory. Like its predecessors, Sober.i spreads by skimming e-mail addresses from victims' computers, then mailing copies of itself to those addresses.

Van Oers said the two files made it harder to manually remove the worm from an infected system. Both files are loaded in system memory and when one is deleted the other will re-create it. Antivirus software is able to remove the worm.

Sober.i appears to do no damage to users' systems other than replicating itself. The worm does try to download software from a remote location, although Van Oers said the feature did not work when McAfee tested it. The worm does not install any keystroke loggers or backdoors into a user's system.

Joris Evers writes for IDG News Service


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy