New strain of Sober worm

Worm entices sports fans to download latest variant by posing as a bogus offer for free football tickets.

  • E-Mail
By  Sarah Gain Published  May 3, 2005

A medium risk alert has been issued by security company, Trend Micro, to raise awareness of a new variant of the Sober worm that mass mails itself through SMTP email, and is socially engineered to trick users into opening the file attachment containing the worm programme. One strain of the worm deceives recipients by pretending to be an offer for free tickets to the football World Cup 2006 games in Germany, from the Federation Internationale de Football Association (FIFA). The Sober worm has been sighted in the Middle East region, in both German and English languages. Similar to previous variants, the Sober.S worm spreads through its own SMTP engine, gathering new recipients from each victim computer, yet avoids sending to certain domains, particularly to companies involved in the antivirus and security industry. The worm arrives under a variety of subject headers, message bodies, and attachments and the “from” address may appear as Admin, Hostmaster, Info or Webmaster, with attachment names such as PassWort-Info.zip, account_info-text.zip, and autoemail-text.zip. Once it has infected a system, the Sober.S worm drops several files on the infected system and modifies Windows registries to execute again at each system start-up. The worm arrives in a file about 53 KB in size, and can be in UPX format, affecting Windows 98, ME, NT, 2000 and XP platforms. One variation appears to be an official communication from the FIFA organisation and says, “Congratulations, you have won free tickets.” This message arrives with the attachment Fifa_Info-Text.zip, causing the recipient to believe that they have won highly coveted tickets to the annual football event. Instead, once the user opens the attachment, an error message appears and the worm is launched. This is a prime example of social engineering, according to Jamz Yaneza, senior virus researcher at TrendLabs. “Because these games are very popular worldwide and even users who are savvy enough to suspect this email is a fake, may take a risk and click on the attachment anyways in hopes of getting free tickets. It can be a bad gamble to take,” comments Yaneza.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code