February 21, 2005 (IDG News Service) --
A new version of the Sober worm wriggled out of its hole early today and set about quickly attacking computers in Europe and the U.S., a security services company said. The worm is a mass-mailer, meaning it spreads itself via e-mail using contacts listed in the address books of computers it infects.
The first instance of the worm, called W32.Sober-K-mm, was intercepted by U.K. security company MessageLabs Ltd. at 5:01 a.m. GMT. The company detected 663 instances of the worm in the first hour, and the figure climbed quickly to more than 2,200 instances between 11 a.m. and noon GMT, prompting MessageLabs to give it a high-risk rating, said Maksym Schipka, a senior antivirus researcher at the company.
"Compared to other Sober worms, it looks to me like this one is spreading itself more aggressively," he said.
The latest variant appears to have originated in Germany, and by midmorning it had also been detected in France, the U.K. and the U.S. It may have been created by the same hacker who wrote the first version of the Sober worm, which appeared in October 2003 and also originated in Germany, Schipka said.
"I'm not aware that the source code for this worm was made public. It is written in Visual Basic, which makes it more difficult to reverse-engineer the virus than if it were written in C++ or assembler. So it would be logical to assume it is the same virus writer," he said.
W32.Sober-K-mm spreads itself as an e-mail attachment and creates random subject lines and body texts in either English or German, depending on the e-mail addresses it gathers. Subject lines observed so far include "Alert! New Sober worm," "Paris Hilton Sex Videos," "You visit illegal websites" and "Your new Password," according to MessageLabs, in Gloucester, England.
The worm can also generate fake messages that try to fool the recipient into opening the attached .zip file. Some e-mails purport to be from an antivirus company offering a security patch against a new version of the Sober worm -- when in fact they contain they worm. Others pretend to be from the FBI and include an attachment labelled "indictment," Schipa said.
When a user opens the attachment, the worm creates several executable files with the names csrss.exe, winlogon.exe and smss.exe. It then modifies the registry key Software\Microsoft\Windows\CurrentVersion\Run so that the files execute on start-up.
The worm also displays the contents of part of the infected machine's file system in a notepad document. Schipka said that it is not clear yet why this document appears and that it may be a bug in the worm. "Sober is known as being relativelybuggy," he said.
The notepad file may be a sign that the virus writer is experimenting with new techniques, one observer speculated.
Such worms can make the computers they infect sluggish to operate and also clog e-mail servers and networks. Users are advised to update their antivirus software to keep the definition files current.
Reprinted with permission from IDG.net Story copyright 2008 International Data Group. All rights reserved.
Moving to Windows Vista: The Promise, The Reality View this exclusive webcast today! Go to the webcast
Managing Mobile Data with Endpoint Security for Laptops
Download this white paper now, compliments of Computerworld and Absolute Software. (Source: Absolute Software) A NetworkWorld survey of IT professionals found that only 1 in 100 employees consistently follow data security policy. This paper outlines endpoint security for laptops that restricts data access beyond encryption to safeguard against insider threats and user error.Read this whitepaper to learn lessons from recent data breaches, limitations of traditional data security, and how to remotely wipe out data and monitor computers that go off the network. Download this executive briefing
Record Capacity for Microsoft? Exchange 2007 With VMware and IBM System x3850 M2
Download this white paper today! (Source: VMware) The more that e-mail becomes an entrenched IT infrastructure application, the more that messaging administrators face numerous--sometimes conflicting--demands in the categories of availability, flexibility and cost. Employing a virtual solution can help avoid expensive over-provisioning of server computing resources, while improving management and disaster recovery. And ultimately, it can more than double the number of supportable Exchange 2007 users, as compared to a non-virtualized environment. This whitepaper explains how to break down the scalability barrier and respond faster to your mail system needs. Download this white paper
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
XenServer FREE trial
Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration.