New Sober variant an efficient worm, but infections already dying down

The latest Sober variant is spreading around the world and has infected millions of computers. The new worm disguises itself as an official email from the FBI, CIA or Bundeskriminalamt (Germany's federal police) and asks people to open an attachment - apparently convincing enough for many users to do so. The attachment scans for email addresses and sends copies to other computers. In addition, the worm disables Microsoft's anti-malware tool.

Trend-Micro, which dubbed the new variant as WORM_SOBER.AG, said that the text of the email warns the reader that they are suspected of surfing illegal websites. The email headers are spoofed and are made to look like they come from the FBI, CIA or Bundeskriminalamt. Readers are instructed to open the attachment and answer questions. The attachment does several things. First, it scans for email addresses and then sends copies of the email to other people. The attachment also disables Microsoft's anti-malware tool. In addition, pop-up windows tell the user that no virus was detected inside the attachment.

Since Saturday the worm has accounted for the vast majority of infected emails according to many virus/worm tracking websites. Sophos is reporting that 61 percent of all infected emails contain the new Sober variant. David Perry, Director of Education at Trend-Micro, says that the worm is quickly dying down and probably in the last stages of infection.

Perry isn't surprised that people still open these emails and adds, "There a billion people on the Internet and 400 million of those are new this year. They are newbies." In addition, he says better social engineering techniques and the ease with which email headers can be spoofed cause Internet users, new and old, to continually open these infected emails. According to Perry, the real damage from this worm is that it "cuts deep into our trust of email."

This is not the first time that virus writers have used tried to fake emails coming from the FBI or other law enforcement agencies, but Perry thinks there are some ominous overtones with this latest variation. Previous email worms and phishing attacks have had such poor wording and grammar that most people immediately deleted them, but this new worm is different. "The wording is professional and not fake English like previous email viruses or scams. The German version is also well written," says Perry. According to Perry it's possible that this worm could have been written by a multi-national hacker group with significant resources.

Perry told us that the new worm is nothing special from a technological standpoint. "Other than the replication and disabling of Microsoft's tool, it doesn't really have any payload," says Perry. He adds that hackers tend to go after two targets, Microsoft and the phone companies. "Hackers really hate Microsoft. This tool searches for the Microsoft tool and terminates it. "It's not looking for Trend-Micro, Symantec, Mcafee or any of the others," says Perry.