New mass mailing Sober.L worm spreading via email - over 38,000 copies intercepted
- 22 February, 2005 09:01
<p>MessageLabs, the leading provider of email security and management services to businesses, is warning computer users to be on their guard against a new variant of the mass mailing Sober email worm, W32.Sober.L-mm. MessageLabs has intercepted over 38,000 copies by 8.30am EST today. The first copy was intercepted on 21 February 2005 at 05:01 GMT, originating in Germany, with detections also in France, the US and UK to date.</p>
<p>W32.Sober.L-mm is a mass-mailing worm that sends itself as an attachment and creates random subject lines and body texts in either English or German, depending on the harvested addresses identified by the worm.</p>
<p>The worm is also capable of showing a notice from anti-virus vendors warning about a new version of the virus itself in an attempt to dupe users into clicking on the attachment to download a patch against the virus.</p>
<p>Computer users who activate file attached in the email invoke the virus, which harvests email addresses it finds on the computer's hard drive. The virus then forwards itself onto the list of email addresses it has discovered in infected computers, sending itself in the form of an English or German language message.</p>
<p>Subject lines (others possible): “Alert! New Sober worm”, “Paris Hilton Sex Videos”, “You visit illegal websites” and “Your new Password”.</p>
<p>Body Text (others possible):
Antivirus vendors are warning of a new variant of the "Sober" virus discovered today that can delete the hard disk.</p>
<p>Protection: Download and read the zipped patch. It's very easy to install!
Thanks for your cooperation!</p>
<p>Damage: Once activated, W32/Sober.L-mm drops several copies of executable files onto an infected computer with filenames csrss.exe, winlogon.exe and smss.exe.</p>
<p>The worm modifies the registry key Software\Microsoft\Windows\CurrentVersion\Run so that it executes on startup. It then displays the contents of the file systemdrive%/windows/temp/doc_data-text.txt in notepad.</p>
<p>Detection: MessageLabs detected this virus proactively, using its unique and patented Skeptic™ predictive heuristics technology.
For further information, please visit the MessageLabs website at:
<p>MessageLabs is the world's leading provider of email security and management services with more than 10,000 clients and offices in eight countries. For more information, please visit http://www.messagelabs.com</p>