Sober Still Spreading Says Sophos
Sophos, a world leader in anti-virus and anti-spam protection for businesses, is advising that reports from England and Germany of the Windows worm Sober-A (W32/Sober-A) have been steadily increasing since its discovery on Monday.
The worm has duped some computer users with its ability to check the domain of the recipient’s email address and change the text language accordingly. If it is ‘.de’ (Germany), ‘.li’ (Liechtenstein), ‘.at’ (Austria) or ‘.ch’ (Switzerland), the subject line and message text are displayed in German. All other recipient addresses receive an English subject and body text.
In one instance, the virus writer praises the author of the Sobig worm which has been causing headaches for computer users for months with the following text: ‘Congratulations!! Your Sobig Worms are very good!!!You are a very good programmer! Yours faithfully Odin alias Anon’
If an infected email attachment is opened, the Sober worm starts to spread by collecting email addresses found on the infected user’s computer and sending itself to each of them.
“Sober-A is the latest in a string of recent worms to trick Windows users by pretending to be attachments that deal with security,” said Carole Theriault, security consultant at Sophos. “These worms play on computer users’ fears and can be difficult to spot with email subject lines and messages chosen at random. The message is simple – treat all unsolicited emails with caution and keep your anti-virus software up to date to stop these worms dead in their tracks.”
Sophos advises users never to accept security updates that arrive as email attachments, and to use pro-active threat reduction technology to block dangerous file types at the email gateway.