Sober virus outbreak springs six variants

By Matt Whipp

Posted on 16 Nov 2005 at 13:01

New versions of the bi-lingual Sober worm have been spammed out in the last few hours, as predicted by the Bavarian Police.

On Monday the Bavarian Police issued a statement warning that they had information on an outbreak planned for the following day.

The author of the Sober worm, which uses either German or English text, depending on the domain of the recipient, is widely believed to be German. However, he or she remains at large. The police force said its information came from a year-long investigation tracking down the Sober author.

Finnish security experts F-Secure said they counted four fresh variants in four hours on Tuesday evening, one of which matched the description (in terms of subject and message texts) supplied by the Bavarian Police. And within 24 hours the firm had detected a further two variants.

Russian security company Kaspersky also confirmed the outbreak, with variants of Sober from U to Z now added to the list.

As well as standard worm behaviour such as mailing itself on to other email addresses found on the victim's computer, the virus also installs a back door allowing remote access to the machine.

Kaspersky notes that the variants also install a tool - PSWTool.PassView.162 - which logs passwords entered through Internet Explorer and Outlook. It says it suspects that the attacker will download code to allow the virus to transmit those passwords back.

The most likely reason behind this is that having that mechanism in place to begin with would alert the security industry as to the destination these passwords, which would result in the IP address of the receiving system being quickly shut down.

The new variants display characteristics such as the following:

Subject: Registration Confirmation
Body: Thanks for your registration. Your data are saved in the zipped Word.doc file!
Attachment: registration.zip

Computer users should ensure their antivirus software is up to date with the latest definitions.