Net citizens with good intentions may be caught out by Sober-M worm, Sophos reports

April 19, 2005 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus and spam analysis centres, have warned users that the W32/Sober-M worm is spreading in the wild. The worm is currently the fifth most commonly encountered virus in the last 24 hours, being beaten only by variants of the prevalent Netsky and Zafi worms.

The W32/Sober-M worm bulk mails itself in either German or English language, depending on whether it believes the recipient's email address to be owned by a German or English speaker.

Email sent in English have the following characteristics:

Subject line:
I've_got your EMail on my_account!

Message text:
Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient are you. I have copied all the mail text in the windows text-editor for you & zipped then.
Make sure, that this mails don't come in my mail-box again.
bye

Attached file:
your_text.zip

"This latest variant of the Sober worm may catch out the unwary as they open their email inbox," said Graham Cluley, senior technology consultant at Sophos. "It looks like the virus writer is deliberately using 'broken english' to lull people into a false sense of security that it's not a virus that has sent the message through, but an aggrieved email user. The virus plays on people's desire to be a good net citizen - anyone who receives a message like this may feel duty bound to open the attachment and investigate how their computer has been sending erroneous email, but such good intentions could result in a nasty infection."

Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats as well as secure their desktop and servers with automatically updated anti-virus protection. Sophos anti-virus products have been capable of detecting the W32/Sober-M worm since 2:07 a.m. GMT on 19 April, 2005.