Breaking News: Latest Sober Variant Continues Worldwide Spread
A new variant of the Sober worm family appeared on Friday. This latest version is known as Sober.I by all venders except for McAfee, which calls is Sober.J. For the purposes here, the worm will be referred to as Sober.I to conform to naming standards.
Like all versions of the Sober family, Sober.I is a polymorphic mass-mailing worm that uses a range of emails. However, unlike recent worms such as Netsky, Mydoom, and Bagle, Sober.I's polymorphism is limited. It contains only 13 possible subjects, 3 possible email bodies, and 2 possible attachment names with 5 possible attachment extensions (.exe, .com, .bat, etc.)
When the infected file is open, the worm will display a fake WinZip error message (courtesy of McAfee):
Most major antivirus companies have released descriptions. Courtesy Harry Waldron from the McAfeeHelp.com Forums:
http://secunia.com/virus_information/13463/win32.sober.i/
http://vil.nai.com/vil/content/v_130130.htm
http://www.sarc.com/avcenter/venc/data/w32.sober.i@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.I
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40797
http://www.f-secure.com/v-descs/sober_i.shtml
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=54761&sind=0
Symptoms of infection include connections to web servers of mostly German origin. The Sober family is believed to have been written in Germany. Sober.I initially appeared in France, Germany, and Australia, but has since spread worldwide.
I'll continue following the spread of this worm in the unlikely event of a major further development.
Posted
Nov 20 2004, 05:38 PM
by
trafton