Sophos, a world leader in anti-virus and anti-spam protection
for businesses, is advising that reports from England and Germany
of the Windows worm W32/Sober-A have been steadily increasing
since its discovery on Monday.
The worm has duped some computer users with its ability to check
the domain of the recipient's email address and change the text
language accordingly. If it is '.de' (Germany), '.li'
(Liechtenstein), '.at' (Austria) or '.ch' (Switzerland), the
subject line and message text are displayed in German. All other
recipient addresses receive an English subject and body text. If an
infected email attachment is opened, the Sober worm starts to
spread by collecting email addresses found on the infected user's
computer and sending itself to each of them.
The displayed text uses sophisticated techniques to convince the
user to double-click on the attachment, such as pretending to be an
operating system patch to safeguard the recipient's computer or
anti-virus protection to protect the user against viruses. In one
instance, the virus writer praises the Sobig worm's author with the
"Congratulations!! Your Sobig Worms are very good!!!
You are a very good programmer!
Odin alias Anon"
"Sober-A is the latest in a string of recent worms to trick
Windows users by pretending to be attachments that deal with
security," said Carole Theriault, security consultant at Sophos.
"These worms play on computer users' fears and can be difficult to
spot with email subject lines and messages chosen at random. The
message is simple - treat all unsolicited emails with caution and
keep your anti-virus software up to date to stop these worms dead
in their tracks."
Sophos advises users never to accept security updates that
arrive as email attachments, and to use pro-active threat reduction
technology to block dangerous file types at the email gateway.
Sophos offers the following advice:
- Never accept security updates which arrive as email
attachments. (For that matter, don't blindly follow web links which
arrive by email, either, especially if they take you directly to a
- If you have a mail server which can block attachments (such as
Sophos MailMonitor for SMTP), disallow
the sending or receiving of attachments which contain programs. It
is almost impossible to make a business case for using email to
distribute programs, on account of the associated dangers.
- Update your anti-virus software regularly so you can identify
new worms and viruses effectively and accurately.
- Emails which sound too strange to be true, or sound too good to
be true, or are just too conveniently-timed to be true, probably
aren't true. You don't need to be cynical or paranoid to exercise
- If you have peer-to-peer file sharing programs installed on
your company's network, consider removing them. It is almost
impossible to make a business case for unregulated file sharing
across the internet, on account of the associated dangers.
- Doing nothing about viruses and worms is not an option. Once
infected by a worm like Sober, your computer will try to send the
worm to as many other potential victims as it can. Even if you
don't care about your computer, be considerate of the effect that
your carelessness might have on other internet users.