IDG News Service - SAN FRANCISCO -- A new version of the Sober e-mail worm started spreading in Europe last week, according to antivirus software vendors, which have given the worm a midlevel threat rating.
By the end of the workday in Europe, the worm had spread to North America and was propagating there as well, said Marius van Oers, an Amsterdam-based antivirus research engineer at McAfee Inc.
The Sober variant is referred to as Sober.j by McAfee and as Sober.i and by F-Secure Corp. and Kaspersky Labs Ltd. This variant is the latest version of a worm that first appeared in October last year.
The new worm sends itself as an attachment to German and English e-mail messages. Infected messages have various subjects and body texts. The worm isn't activated until the recipient opens the attachment.
Once opened, a fake error message is displayed and the worm creates two files in the Windows directory. Like its predecessors, Sober.i spreads by skimming e-mail addresses from victims' computers, then mailing copies of itself to those addresses.
The two files make it harder to manually remove the worm from an infected system, Van Oers said. Both files are loaded in the system's memory, and when one is deleted the other will re-create it, he said. Antivirus software is able to remove the worm, he said.
In spreading, Sober.i adapts its message for German-speaking audiences, inserting a German-language version of its pitch message into e-mail addresses belonging to German domains, such as those ending in .de for Germany, .ch for Switzerland and .at for Austria, F-Secure of Helsinki said in an advisory.
"It appears that the virus originated in Germany," McAfee's Van Oers said.
Sober.i appears to do no damage to users' systems other than replicating itself. The worm does try to download software from a remote location, but that feature didn't work when tested by McAfee, Van Oers said. The worm doesn't install any keystroke loggers or back doors into the user's system.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
