Sober-N World Cup worm aims to foul football fans, Sophos reports

Sophos Press Release

Sophos products were automatically updated at 17:19 GMT on 2 May 2005 to protect against the Sober-N worm.

Worm accounts for over 79% of all virus reports in last 24 hours

Updated 4 May 2005 to include latest statistics

Experts at SophosLabs™, Sophos's global network of virus and spam analysis centres, have warned users about a new widespread email worm, posing as tickets for the 2006 World Cup in Germany.

In the last 24 hours the W32/Sober-N worm has swept to the top of the most widespread virus chart, accounting for 79.29% of all viruses seen by Sophos's monitoring stations around the world.

Like earlier versions of the Sober worm, the bilingual virus can travel in both English and German language emails as a malicious attached file. The worm can use a variety of different subject lines and message bodies, and when sent in German can pretend to be an email from FIFA (the international football association) saying the recipient has won free tickets for the 2006 soccer World Cup.

However, if the user opens the attached file they will become infected by the worm, and it will mass-mail itself to other email addresses found on the infected PC.

"Many people will be eager to attend one of the biggest sporting events in the world next year, and may think it's worth the risk of opening the email attachment just in case the prize is for real," said Graham Cluley, senior technology consultant for Sophos. "Computer users who don't practise safe computing will feel as sick as a parrot, and will only be passing this worm onto other unsuspecting victims."

Since it first emerged on Monday afternoon, the worm has gained momentum infecting more and more computer users. Because of the amount of email which can be sent by the worm computer users may find their mailboxes are filling up, and companies may discover that their email takes longer to arrive.

"The Sober-N worm accounts for 3 in every 4 viruses travelling across the internet at the moment. Although anti-virus protection is available it seems there must be many home users who have been complacent and are allowing their PCs to belch out more and more infected emails," said Graham Cluley, senior technology consultant for Sophos. "Everyone should consider putting in place automatic anti-virus updates, and a policy of blocking dangerous attachments at the email gateway. Anyone who assumed that we had seen the end of email viruses is being given an important wake-up call by this worm."

A typical email sent by the Sober-N worm.

This is not the first time a virus has used the international soccer tournament in an attempt to spread its malicious payload.

In 2002 the VBS/Chick-F virus tried to exploit interest in the latest news from the World Cup in South Korea/Japan by posing as an onscreen scores ticker.

In 1998, in the run-up to the World Cup competition in France, another football-inspired virus asked infected victims to place a bet on who the winner might be, and if the user did not choose the right team triggered a payload capable of wiping data off computer hard drives.

Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats and secure their desktops and servers with automatically updated anti-virus protection.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at