New variants of the Sober worm are taunting users for the second time in as many weeks. This time, the worms are trying to dupe people with fake messages from the FBI and CIA, and
Tokyo-based AV firm Trend Micro said in an e-mailed advisory that Sober-AG has been spammed in e-mails written in German and English. It scans the version of Windows running on a target machine and, if it detects GMX as the domain, installs one of the German versions. Otherwise, the firm said, it installs itself as one of the English versions.
"The worm has no automated capabilities and must therefore be inadvertently executed by the user to install," Trend Micro said. "To entice the user to do this, the author utilizes classic social engineering techniques, such as promising pictures of celebrities, or alerting the user to illicit behavior."
At least two of the English versions of Sober-AG spoof the Federal Bureau of Investigation (FBI) or Central Intelligence Agency (CIA), telling the user that the agency has found evidence that he or she has been visiting "more than 30 illegal Web sites." The user is asked to complete an attached "questionnaire." Those who try to do so are infected with the worm. "Similarly, one of the German versions spoofs Bundeskriminalamt, and threatens legal action against the users' illicit downloads of films, software, and MP3s," Trend Micro said. "The e-mail promises more details of the case in the attached file."
Other versions of the worm promise a free download of "video clips, pictures and more" of "Simple Life" stars Paris Hilton and Nicole Richie if the user activates the attached .zip files. At this point, the firm said, the latest variants don't appear to have any backdoor capabilities.
Cupertino, Calif.-based Symantec took the rare step of issuing a Level 3 alert for what it labeled Sober-X@mm. AV firms are also calling the new variants Sober-Y, Sober-X and Sober-W.
Glendale, Calif.-based Panda Software issued an orange alert for the latest variants.
UK-based Sophos said in an e-mail that Sober has accounted for 61% of all viruses reported to its lab in the last four hours.
The FBI has issued a public statement warning people not to be fooled by e-mails claiming to come from the agency. "These e-mails did not come from the FBI," the agency said. "Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner." The FBI said e-mails appear to be sent using such addresses as firstname.lastname@example.org, email@example.com and firstname.lastname@example.org.
This is the second time in as many weeks that AV firms have had to issue alerts for new Sober variants. Last week, worms like Sober-U and Sober-Z dropped malicious files onto the computers they infected and tried to spy on users' passwords.