A new version of the Sober worm is spreading rapidly around the Web, this one with a twist. Called Sober-M or Sober-N by various security companies, it uses an e-mail in poorly worded English to try to convince recipients that their e-mail is being diverted to the alleged sender.
The subject of the infected messages is “I’ve_got your e-mail on my_account!” The infected .zip file is commonly named “your_text.zip.” There is also a German version with the subject “FwD: Ich bin’s nochmal.”
Two Languages More Effective
The two different languages adds more credibility to the e-mail, one security analyst said.
“This is an interesting facet of the worm; the use of regional settings is a novel approach for this type of malware as usually we see only English as the language used for propagation,” SecurityCurve President Ed Moyle told TechNewsWorld.
“Using the native language of the sender increases the efficacy of the ‘social engineering’ aspect of the malware — in other words, the worm banks on the fact that people are more likely to open and run a file addressed to them in their native language.”
The worm is spreading in Europe; by this morning there had been 88,000 reports of infections in England alone. If the attachment is opened, it will scan files on the infected computer looking for e-mail addresses and then report them back to the worm’s author. E-mail addresses can be sold to spammers.
Not as Malicious
“This malware is not quite as damaging as some of the others that we’ve seen recently; for example, based on the reports from the antivirus vendors, there aren’t any listening ports established and it doesn’t delete files,” Moyle said.
“It collects e-mail addresses from the infected machines, disables previous variants of Sober, and installs itself so that it will run again when the machine is restarted. Mostly, the emphasis of this worm seems to be on propagation and e-mail collection. It appears to be fairly successful in both endeavors given the propagation rate that we’re seeing,” he continued.
Security companies recommend updating virus definitions to prevent infection.
Moyle said mass-mailers such as Sober will probably become less of a nuisance in the future.
“I think as scanning technologies progress, as e-mail clients become more restrictive about executable content, and as users become more educated, that we will see fewer mass-mailers over the long-term,” he said.