Press Releases

Browse our press release archive

22 Nov 2005

Sober-Z worm poses as bogus messages from FBI or CIA

Sophos protects customers proactively against new Sober-Z worm

Sophos products include Genotype technology to proactively defend against new threats
Genotype technology is built into all Sophos products, proactively defending against new threats.

Last updated 29 November, 11:00 GMT with latest statistics

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned internet users of an in-the-wild worm which is pretending to be an email from an FBI or CIA investigator.

In the last 24 hours, the worm has accounted for over 88% of all viruses reported to Sophos, making it currently the most prevalent virus spreading across the world. It has accounted for a staggering 1 in 13 of all emails travelling across the internet. The FBI is so concerned about the messages that it has issued a warning on its website.

The W32/Sober-Z worm arrives as an email attachment, and can use a variety of different messages, including the following:

Dear Sir/Madam,

We have logged your IP-address on more than 30 illegal Websites.

Important: Please answer our questions! The list of questions are attached.

Yours faithfully,
Steven Allison
Federal Bureau of Investigation-FBI-
935 Pennsylvania Avenue, NW , Room 3220
Washington , DC 20535
Phone: (202) 324-30000

Sometimes the emails claim to come from the same investigator, but at the CIA. Other versions pretend to be video clips from the Nicole Richie and Paris Hilton TV show "The Simple Life", or relate to the German version of the quiz show "Who wants to be a Millionaire".

If the attached file is run, the worm scans the user's hard drive for other email addresses, in its search for other computers to infect.

"This variant of the Sober worm may catch out the unwary as they open their email inbox this morning," said Graham Cluley, senior technology consultant at Sophos. "Every law-abiding citizen wants to help the police with their enquiries, and some will panic that they might be being falsely accused of visiting illegal websites and want click on the unsolicited email attachment. All users should be reminded to follow safe computing guidelines, and PCs should be kept automatically updated with the latest anti-virus protection."

In a statement, the FBI has urged users who receive the viral emails to report them to the Internet Crime Complaint Center at www.ic3.gov.

"Anyone who may have information about the Sober worm's author should report it to the computer crime authorities," continued Cluley. "This malware writer has been maliciously attacking innocent computer users for over two years, and must be stopped."

Sophos customers proactively protected against Sober-Z worm

Sophos's proactive Genotype™ technology was capable of detecting the Sober-Z worm proactively (naming it as W32/Sober-Gen), defending customers' computers without requiring an update. Sophos PureMessage, Sophos's consolidated email gateway solution which defends businesses against both spam and viruses, can also block the spam messages sent by the worm.

Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats and secure their desktops and servers with automatically updated anti-virus protection.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.