Silicon Valley - Public Access Link

Sober Email Virus

Sober Email Virus

Recent versions of this virus purport to be from the CIA or FBI warning you about criminal activity.

Vulnerable Systems

This worm only affects users running Windows 95, 98, NT, Me, 2000 or XP.

Impact

This virus scans a variety of files on your computer looking for email addresses. Then it mass mails itself to these "found" email addresses, thereby spreading itself to other computers. The virus also attempts to disable virus protection by terminating virus programs running on the infected computer.

Solutions

See Microsoft's Windows Update web site for easy updating of your Microsoft software. Install a virus scanner to provide additional protection. You may need to start your computer in safe mode to successfully run your virus scanner. Check your virus software documentation for details on how to scan and remove virus infections.

For more information

Check the CERT Coordination Center for more information on this worm. Or check SVPAL's virus page for me general virus protection information.

US Cert Advisory

W32/Sober Revisited
added November 22, 2005 | updated November 22, 2005

US-CERT is aware of several new variants of the W32/Sober virus that propagate via email. As with many viruses, these variants rely on social engineering to propagate. Specifically, the user must click on a link or open an attached file.

A recent variant sends messages that appear to be from the CIA or FBI, while a German version appears to be coming from the Bundeskriminalamt (BKA), the German Federal police service. US-CERT encourages users to review the appropriate alert below:

These new variants of the W32/Sober virus identified above share common characteristics listed below. Once infected, the malicious code may:

  • Attempt to harvest email addresses from a configurable list of file extensions
  • Utilize its own SMTP engine to send itself to the harvested email addresses

Although each variant has different functionality, the list below contains a subset of the common characteristics found in previous variants. Once a system is infected, the malicious code may:

  • Modify the system registry to prevent Windows XP's built-in firewall from starting
  • Attempt to harvest email addresses from a configurable list of file extensions
  • Utilize its own SMTP engine to send itself to the harvested email addresses
  • Modify the HOSTS file to prevent the computer from accessing certain security and commercial web sites
  • Attempt to terminate a number of running processes, some of which are security related
  • Open a backdoor on the system that allows the attacker to communicate remotely with the system via IRC. This may allow the attacker to upload and execute arbitrary code on the infected machine.

US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source. You may also wish to visit the US-CERT Computer Virus Resources.


 

[SVPAL Home]  [Subscriber]

Contact Silicon Valley Public Access Link
Last updated: February 23, 2006