Lesen Sie unsere neuesten Meldungen

22 Nov 2005

Sober-Z worm poses as bogus messages from FBI or CIA

Sophos protects customers proactively against new Sober-Z worm

Sophos products include Genotype technology to proactively defend against new threats
Genotype technology is built into all Sophos products, proactively defending against new threats.

Last updated 29 November, 11:00 GMT with latest statistics

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned internet users of an in-the-wild worm which is pretending to be an email from an FBI or CIA investigator.

In the last 24 hours, the worm has accounted for over 88% of all viruses reported to Sophos, making it currently the most prevalent virus spreading across the world. It has accounted for a staggering 1 in 13 of all emails travelling across the internet. The FBI is so concerned about the messages that it has issued a warning on its website.

The W32/Sober-Z worm arrives as an email attachment, and can use a variety of different messages, including the following:

Dear Sir/Madam,

We have logged your IP-address on more than 30 illegal Websites.

Important: Please answer our questions! The list of questions are attached.

Yours faithfully,
Steven Allison
Federal Bureau of Investigation-FBI-
935 Pennsylvania Avenue, NW , Room 3220
Washington , DC 20535
Phone: (202) 324-30000

Sometimes the emails claim to come from the same investigator, but at the CIA. Other versions pretend to be video clips from the Nicole Richie and Paris Hilton TV show "The Simple Life", or relate to the German version of the quiz show "Who wants to be a Millionaire".

If the attached file is run, the worm scans the user's hard drive for other email addresses, in its search for other computers to infect.

"This variant of the Sober worm may catch out the unwary as they open their email inbox this morning," said Graham Cluley, senior technology consultant at Sophos. "Every law-abiding citizen wants to help the police with their enquiries, and some will panic that they might be being falsely accused of visiting illegal websites and want click on the unsolicited email attachment. All users should be reminded to follow safe computing guidelines, and PCs should be kept automatically updated with the latest anti-virus protection."

In a statement, the FBI has urged users who receive the viral emails to report them to the Internet Crime Complaint Center at

"Anyone who may have information about the Sober worm's author should report it to the computer crime authorities," continued Cluley. "This malware writer has been maliciously attacking innocent computer users for over two years, and must be stopped."

Sophos customers proactively protected against Sober-Z worm

Sophos's proactive Genotype™ technology was capable of detecting the Sober-Z worm proactively (naming it as W32/Sober-Gen), defending customers' computers without requiring an update. Sophos PureMessage, Sophos's consolidated email gateway solution which defends businesses against both spam and viruses, can also block the spam messages sent by the worm.

Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats and secure their desktops and servers with automatically updated anti-virus protection.

Über Sophos

Mehr als 100 Millionen Anwender in 150 Ländern verlassen sich auf Sophos‘ Complete-Security-Lösungen als den besten Schutz vor komplexen IT-Bedrohungen und Datenverlust. Sophos bietet dafür preisgekrönte Verschlüsselungs-, Endpoint-Security-, Web-, Email-, Mobile- und Network Security-Lösungen an, die einfach zu verwalten, zu installieren und einzusetzen sind. Das Angebot wird von einem weltweiten Netzwerk eigener Analysezentren, den SophosLabs, unterstützt.

Sophos hat seinen Hauptsitz in Boston, USA, und Oxford, Großbritannien. In Deutschland hat das Unternehmen seinen Hauptsitz in Wiesbaden und ist in Österreich und der Schweiz je an einem Standort vertreten. Weitere Informationen unter