The Viruses Continue: Newest Worm Poses As Microsoft Patch
The worm, dubbed Sober.D, appeared Sunday and began spreading in Germany and the United Kingdom. Officials at Network Associates, Santa Clara, Calif., said they had seen about 100 samples of the worm by Monday morning.
The worm arrives in an e-mail message with a subject line of "Microsoft Alert: Please Read!" and carries a sending address with a Microsoft suffix. Following this suffix, the domain extensions on the messages are typically from Germany, Israel, Switzerland or Austria.
Many samples of the new variant have been written in German. According to Network Associates, the body of the infected message instructs recipients to download a "digitally signed attachment" that includes the "functionality of previously released patches." The instructions, of course, are bogus.
The message also includes a file attachment that is either an executable (.exe) or Zip archive (.zip). Once installed on a machine, the virus will display one of two phony error messages: that the patch has been installed or that the patch does not need to be installed at all. The worm then searches the computer's hard drive for e-mail addresses and uses its own SMTP engine to mail itself to every address it finds
"The [SMTP engine] enables the virus to send itself out pretty quickly," said Sharon Ruckman, senior director of security response at Symantec, Cupertino, Calif. "This is something we didn't see in viruses from recent years."
As Ruckman explained, Sober.D arrived just weeks after the largest, most concentrated onslaught of virus activity in recent memory involving 16 new virus variations in about 10 days. According to the recently released Symantec Internet Security Threat Report, virus writers are now on pace to exceed all previous records, which hover around 250 or 300 new viruses per month.
At McAfee Security, the enterprise division of Network Associates, Vincent Gullato, vice president of McAfee AVERT, noted that his company also has detected an "unprecedented" number of virus variants in the last four weeks. Gullato, however, said that the more variants virus writers release, the better antivirus companies become at detecting them and snuffing them out.
"Variants give us more to study," he said. "The more variants we see, the more likely we are to write generic detection."
The original version of Sober hit the Internet last October and never amounted to much. By Tuesday afternoon, none of the major anti-virus vendors had deemed Sober.D a major threat either.