Sober still spreading says Sophos

October 29, 2003 Sophos Press Release

Sophos, a world leader in anti-virus and anti-spam protection for businesses, is advising that reports from England and Germany of the Windows worm W32/Sober-A have been steadily increasing since its discovery on Monday.

The worm has duped some computer users with its ability to check the domain of the recipient's email address and change the text language accordingly. If it is '.de' (Germany), '.li' (Liechtenstein), '.at' (Austria) or '.ch' (Switzerland), the subject line and message text are displayed in German. All other recipient addresses receive an English subject and body text. If an infected email attachment is opened, the Sober worm starts to spread by collecting email addresses found on the infected user's computer and sending itself to each of them.

The displayed text uses sophisticated techniques to convince the user to double-click on the attachment, such as pretending to be an operating system patch to safeguard the recipient's computer or anti-virus protection to protect the user against viruses. In one instance, the virus writer praises the Sobig worm's author with the following text:

"Congratulations!! Your Sobig Worms are very good!!!
You are a very good programmer!
Yours faithfully
Odin alias Anon"

"Sober-A is the latest in a string of recent worms to trick Windows users by pretending to be attachments that deal with security," said Carole Theriault, security consultant at Sophos. "These worms play on computer users' fears and can be difficult to spot with email subject lines and messages chosen at random. The message is simple - treat all unsolicited emails with caution and keep your anti-virus software up to date to stop these worms dead in their tracks."

Sophos advises users never to accept security updates that arrive as email attachments, and to use pro-active threat reduction technology to block dangerous file types at the email gateway.

Sophos offers the following advice:

  • Never accept security updates which arrive as email attachments. (For that matter, don't blindly follow web links which arrive by email, either, especially if they take you directly to a software download.)
  • If you have a mail server which can block attachments (such as Sophos MailMonitor for SMTP), disallow the sending or receiving of attachments which contain programs. It is almost impossible to make a business case for using email to distribute programs, on account of the associated dangers.
  • Update your anti-virus software regularly so you can identify new worms and viruses effectively and accurately.
  • Emails which sound too strange to be true, or sound too good to be true, or are just too conveniently-timed to be true, probably aren't true. You don't need to be cynical or paranoid to exercise caution!
  • If you have peer-to-peer file sharing programs installed on your company's network, consider removing them. It is almost impossible to make a business case for unregulated file sharing across the internet, on account of the associated dangers.
  • Doing nothing about viruses and worms is not an option. Once infected by a worm like Sober, your computer will try to send the worm to as many other potential victims as it can. Even if you don't care about your computer, be considerate of the effect that your carelessness might have on other internet users.