New worm disguises as MS update

janett999 · 03-08-2004, 06:54 PM

The latest variant of the mass-mailing Sober worm, discovered on Monday, masquerades as an official Microsoft patch for the MyDoom worm.

Sober.D is technically similar to its previous incarnation as Sober.C, where it used its own SMTP engine to send copies of itself to e-mail addresses found on infected systems, but the latest version displays fake Microsoft warnings and error messages.

"It arrives in an e-mail that pretends to be a patch to protect against a version of MyDoom," said senior technology consultant Graham Cluley of antivirus company Sophos. "The e-mail appears to be a Microsoft patch so people will of course double-click on that attachment."

According to Finnish antivirus company F-Secure, Sober.D spreads either as an executable attachment or inside a password-protected Zip archive attached to an e-mail. Once a user clicks on the file, the worm scans the PC to see if it has already been infected. If the system is clean, a small box appears with the message: "This patch has been successfully installed." If the system is already infected with Sober.D, the message says: "This patch does not need to be installed on this system."

Sober.D also changes its language depending on where it is being sent. If the recipient's e-mail address has either a DE, CH, AT, LI, NL or BE extension, the text will be in German and the subject will read: "Microsoft Alarm: Bitte Lesen". Otherwise the subject line is in English and reads: "Microsoft Alert: Please Read!" Previous versions of Sober have also been biligual, said Sophos' Cluley.

This is not the first time that a worm has disguised itself as a Microsoft update. In January, the Xombe or Trojan.Xombe worm posed as a critical patch for Windows XP. This was believed to be a copycat of 2003's most successful worm, Swen, which is thought to be the first known worm to masquerade as a security warning from Microsoft.

Microsoft has always maintained that it does not e-mail patches to users, so they should ignore any such messages. Additional information on its prevention and removal.

http://zdnet.com.com/2100-1105_2-517...?tag=zdfd.left

the hunter · 03-08-2004, 07:46 PM

I dont know if this is related, but I have never had so many port scans as Im getting tonight. It is so bad that I traced it back, and called my provider with the port #s, and the buggers IP add.

03-08-2004, 06:54 PM	#1 (permalink)
janett999 our grateful nightmare Join Date: Feb 2003 Location: here and there!!!! Posts: 554	New worm disguises as MS update The latest variant of the mass-mailing Sober worm, discovered on Monday, masquerades as an official Microsoft patch for the MyDoom worm. Sober.D is technically similar to its previous incarnation as Sober.C, where it used its own SMTP engine to send copies of itself to e-mail addresses found on infected systems, but the latest version displays fake Microsoft warnings and error messages. "It arrives in an e-mail that pretends to be a patch to protect against a version of MyDoom," said senior technology consultant Graham Cluley of antivirus company Sophos. "The e-mail appears to be a Microsoft patch so people will of course double-click on that attachment." According to Finnish antivirus company F-Secure, Sober.D spreads either as an executable attachment or inside a password-protected Zip archive attached to an e-mail. Once a user clicks on the file, the worm scans the PC to see if it has already been infected. If the system is clean, a small box appears with the message: "This patch has been successfully installed." If the system is already infected with Sober.D, the message says: "This patch does not need to be installed on this system." Sober.D also changes its language depending on where it is being sent. If the recipient's e-mail address has either a DE, CH, AT, LI, NL or BE extension, the text will be in German and the subject will read: "Microsoft Alarm: Bitte Lesen". Otherwise the subject line is in English and reads: "Microsoft Alert: Please Read!" Previous versions of Sober have also been biligual, said Sophos' Cluley. This is not the first time that a worm has disguised itself as a Microsoft update. In January, the Xombe or Trojan.Xombe worm posed as a critical patch for Windows XP. This was believed to be a copycat of 2003's most successful worm, Swen, which is thought to be the first known worm to masquerade as a security warning from Microsoft. Microsoft has always maintained that it does not e-mail patches to users, so they should ignore any such messages. Additional information on its prevention and removal. http://zdnet.com.com/2100-1105_2-517...?tag=zdfd.left __________________ American by Birth File Sharer by Choice

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

03-08-2004, 07:46 PM	#2 (permalink)
the hunter getting hitched Join Date: Apr 2003 Location: canada Posts: 2,655	I dont know if this is related, but I have never had so many port scans as Im getting tonight. It is so bad that I traced it back, and called my provider with the port #s, and the buggers IP add.