Sober-F email worm spreading via email, users warned to be on their guard by Sophos

April 05, 2004 Sophos Press Release

Researchers at Sophos, a world leader in protecting businesses against viruses and spam, have warned computer users to be on their guard against a new variant of the Sober email worm which has been sighted in the wild.

The W32/Sober-F worm was spotted over the weekend, spreading via email systems using a variety of subject lines including "Oh my God", "Hi, it's me", "Well, surprise?!" and "Bad Gateway".

Users who launch the attached file invoke the virus, which harvests email addresses it finds on the computer's hard drive. The worm then forwards itself onto the list of email addresses it has discovered, sending itself in the form of a German language message if it determines it is being sent to an German email address.

"This latest incarnation of the Sober worm is capable of clogging up email systems and stealing bandwidth with the number of emails it can generate," said Graham Cluley, senior technology consultant for Sophos. "The fact that this worm appeared over the weekend underlines how vital it is for users to automate their anti-virus updates. All companies should wake up to the importance of filtering dangerous content at the email gateway."

In a sneaky twist the worm can append a message to the bottom of infected emails claiming that it has already been virus scanned, and no malware has been detected.

"The ploy of adding a 'No virus found' message at the bottom of the email is deliberately designed to appeal to those who are too impatient to practise safe computing," continued Cluley.

Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats as well as secure their desktop and servers with automatically updated anti-virus protection.