Fast-Spreading Sober Worm Up In Europe, Heading To U.S.

Sober.i is the general designation by anti-virus firms, although McAfee dubbed it Sober.j. By mid-morning, virtually every security vendor had popped its warning level to "medium," although Panda Software tagged it with a "high" label.

"It's spreading very quickly," said Sam Curry, the vice president of Computer Associates' eTrust security group. "But we're hard pressed to come up with a technical reason why it's so successful. There's nothing unusual, technically, in the worm, so it may just be a matter of lucky social engineering."

Sober, which was initially spammed in mass mailings early Friday, is a "classic e-mail worm," according an e-mailed alert from Moscow-based Kaspersky Labs. It disguises its payload as a file attachment, spreads using its own SMTP engine with addresses it loots from the compromised PC, and uses a highly random lists of subject heads.

"We've gotten wildly different reports of how pervasive this worm is," said Sam Curry, the vice president of Computer Associates' eTrust security group. "Our European offices, for instance, are seeing it as much more common, and dangerous, than North America at the moment. That, in itself, is unusual."

Like other Sober variations, this one arrives in e-mails written in either German or English.

But that dual language trait may actually stymie the worm. "Non-English messages act as a firewall of sorts," said Curry. "If an American receives a message in German, for instance, he'll just go 'what the heck is this?' and delete it."

Sober.i's German incarnation -- which is sent only to users with e-mail addresses that include the domain names for Germany (de), Austria (at), Switzerland (ch), or Lichtenstein (le) -- come in e-mails purporting to be from an exotic dancer who claims she's attached nude photos to the message. The English versions are more prosaic, with subject heads like "Delivery failure notice" and "hey dude!"

It's unclear whether Sober.i is actually much of a threat. "No virus is good, of course, but as far as we've seen in our initial analysis, it doesn't seem to have a malicious payload, like a backdoor component," said Curry.

McAfee's Marious Van Oers, a researcher with its AVERT virus center, agreed. "We've not found any backdoor."

In its alert, however, Kaspersky Labs claimed that Sober.i could download other files from remote servers, a tactic often used by hackers to later gain control of an infected machine by planting Trojan horses or spyware on the system.

"We're still analyzing the code," said Curry, "and waiting for the other shoe to drop. It may have the potential to spread other code."

Although the Sober worm family has been in the wild since October 2003, it's never been a serious threat, and least dangerous to users outside Europe. Germany is its likely country of origin, said Van Oers.

The only remarkable characteristic, he said, is that it deposits two copies of itself onto the target machine, so that if the user manages to delete one, the other is still active.

"That's really only a problem for someone trying to manually remove the worm," said Van Oers. "Anti-virus scanners will delete both processes automatically."