New Internet worm - Level 3 security threat

19 11 2004

A new variant of the ‘Sober’ Internet worm was discovered on November 19, 2004, and rated a Level 3 threat by Symantec. An Internet Alert was issued to Norton Firewall and Internet Security 2005 subscribers on the same day.

This is a mass-mailing worm that uses its own email engine to spread by sending email attachments to addresses found on the infected computer. This infection is caused when a user double clicks on an infected attachment.

The subject of the email may be in English or German. Typical messages include:

Your password was changed successfully.
Protected message is attached.

This account_hast_been_disabled.

I was surprised, too!
Who_could_suspect_something_like_that? sh*tyiiiii

Diese Information ist geschützt duch ein Passwort!

The email attachment will have a .bat, .com, .pif, .scr, or .zip file extension, or even a double extension.

When a user double clicks on a infected attachment, the worm will display a bogus error message:
’WinZip_Data_Module is missing ~Error: {[number]}’

The Sober worm creates several files and registry keys and may attempt to download and execute a file on the infected machine. It is reported to reduce the level of system security as well.

This type of Internet worm was first discovered in October 2003 and eight variants have since been identified.

Sophos reported a variant of Sober with a message in German claiming to come from a 21-year-old GoGo dancer with long blonde hair who says she is seeking employment as a nude model. The email claims that she has attached naked photographs of herself, but they really contain a copy of this malevolent Internet worm.

Norton users can download a removal tool from here –
W32.Sober removal tool (page opens in a new window)

Back to top of page

© 2004 Copyright topenterprise uk ltd All rights reserved
Property of topenterprise uk ltd and made available under the terms of use notice on this web site