Sober comeback poses as long lost schoolfriend, Sophos reports on email worm

October 06, 2005 Sophos Press Release


Sophos products were automatically updated to protect against the Sober-O worm.

Worm takes second place in prevalence charts for last 12 hours

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, are warning users about two new spyware email worms, which pose as an old school photograph. The Sober-O worm is now the second most commonly reported virus to Sophos, accounting for approximately 10% of all reports in the last twelve hours. Sophos is also alerting users to the presence of another similar variant, Sober-P.

The Sober-O worm tempts users to open a picture of an old class photo. When recipients open this file, instead of seeing themselves in a picture, the worm attempts to infect their computer. If successful, the worm can steal information from the user, forge their email address and use its own spam engine to send itself to any addresses found on the infected computer. Like earlier versions of the Sober worm, the bilingual virus can travel in both English and German language emails.

When translated, the German version of the email message contains the following text:

Subject: Fwd: class reunion

Message text:
hi,
I hope finally I've reached the right person this time!
Anyway I attached our old class photo taken in former times.
if you recognize yourself please really write back!
but if I addressed the wrong person once again sorry for the annoyance ;)
friendly greetings,
Hannelore

"It may be flattering to think that someone has taken the trouble to look you up and make contact, but it's a lot less pleasant when you realise it's really a virus writer trying to hijack your computer," said Graham Cluley, senior technology consultant at Sophos. "The success of websites like FriendsReunited and Classmates.com show that many people have used the net to keep in touch with old school friends. Sophos has seen substantial reports of Sober-O, and the worry is that those targeted will be unable to tell which messages are genuinely from friends, and which ones are designed to cause trouble."

Sober-O uses the same tricks as its predecessor, Sober-N, one of the biggest virus outbreaks of 2005. Sober-N compromised thousands of PCs in 40 countries by posing as tickets to the 2006 World Cup in Germany.

"The Sober family of worms is a wake up call to businesses about the problem that infected machines can cause," continued Cluley. "Companies must ensure they are properly protected against these consolidated threats with automatically updated protection, while individual users have got to display extra vigilance over unsolicited attachments to prevent Sober-O from following in Sober-N's footsteps."

Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats and secure their desktops and servers with automatically updated anti-virus protection.