// Home / News / Security

New SoberD worm preys on user paranoia

Posted on 8 Mar 2004 at 16:36

Computer users may feel they are already reeling from the current spate of viruses, particularly the many-headed MyDoom, Netsky and Bagle variants. But now there is a new concern. Following in the wake of the virulent Sober-C, comes a new Sober variant.

Spreading via email, the worm pretends to be a security update from Microsoft in the hope that recipients of infected emails will execute the attachment. The file purports to be a fix for the MyDoom virus. The email arrives with a subject line of 'Microsoft Alert: Please Read!' and its message text begins: New MyDoom Virus Variant Detected!

Copying itself into the Windows system folder under a variety of random names, it also adds a number of data files to the directory (such as mslogs32.dll and wintmpx33.dat). A message box will appear when infection is first activated, displaying: 'This patch has been successfully installed.'

As always, however, users should beware email attachments claiming to be security fixes. Official security notifications will always redirect a user to the company's website, from which any authorised updates can then be downloaded.

'This latest incarnation of the Sober worm seems to be preying on the current paranoia about email security,' said Graham Cluley, senior technology consultant at Sophos. 'The last couple of weeks has seen an endless stream of new viruses spreading in the wild including two variants of the MyDoom worm. But computer users shouldn't be tricked into trusting security fixes which arrive via email - the only place from which to download a patch is from the appropriate vendor's website.'

As with Sober-C, the worm is bi-lingual in that if it is being sent to a German email address, it presents itself in German instead of English.

Also titled as 'Roca-A' by Sophos, you can find more information about the worm on the anti-virus company's website.