The latest news on the Sober-Z worm outbreak

November 24, 2005 Sophos Press Release

Sophos products include Genotype technology to proactively defend against new threats
Genotype technology is built into all Sophos products, proactively defending against new threats.

Last updated 29 November 2005 with latest statistics

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centres, are warning computer users that the new Sober-Z worm is spreading at such a rate that it now accounts for over 88% of all viruses reported to Sophos - making it currently the most widespread computer virus in the world.

Accounting for a staggering one in 13 of all emails travelling across the internet, the Sober-Z worm sends itself as an email attachment and attempts to turn off security software on the user's computer.

The worm lures innocent computer users into opening its infected attachments using a variety of tricks that include posing as an FBI or CIA agent with attached questions to be answered, and a phoney offer of Paris Hilton and Nicole Richie video clips from 'The Simple Life'. Instead, in the case of every Sober-Z attachment, the zip file contains a copy of the worm with the filename File-packed_dataInfo.exe. The worm then scans the user's hard drive for other email addresses, in its search for other computers to infect.

Typical email messages sent by the worm can include, but are not limited to, the following:

From: <Harvested address>

Subject: hi, ive a new mail address

Message text:
hey its me, my old address dont work at time. i dont know why?! in the last days ive got some mails. i' think thaz your mails but im not sure! plz read and check ...
cyaaaaaaa

Attachment: mailtext.zip

or

From: <Harvested address>

Subject: Paris_Hilton_&_Nicole_Richie

Message text:
The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!
Please use our Download manager.

Attachment: downloadm.zip

"The sheer rate at which this worm is spreading proves that the devious tricks used by the worm's creator are working," said Graham Cluley, senior technology consultant at Sophos. "This should be a wake up call to businesses across the globe as to the major level of threat that viruses pose to IT security. It's absolutely imperative that all organisations defend their networks from such attacks with a consolidated solution."

At 00:00 on 6 January 2006, the worm attempts to download further code from the internet. If no code is downloaded the Sober worm is programmed to stop replicating via email.

The author of the Sober worm has now been attacking innocent computer users for more than two years and Sophos is calling for anyone with information about the author to report it to the computer crime authorities.

Sophos customers proactively protected against Sober-Z worm

Sophos's proactive Genotype™ technology was capable of detecting the Sober-Z worm proactively (naming it as W32/Sober-Gen), defending customers' computers without requiring an update. Sophos PureMessage, Sophos's consolidated email gateway solution which defends businesses against both spam and viruses, can also block the spam messages sent by the worm.

Sophos strongly recommends companies thwart virus and spam threats and secure their desktops and servers with automatically updated anti-virus and anti-spam protection.