A Sobering Thought
Since late yesterday we have seen a marked increase in the activity of a new Sober variant doing the rounds.
A new variant of Sober named W32.Sober.AA@mm is currently being spammed out to many users around the world.
The spam can be either in English or German and uses classic socialengineering techniques to trick users into opening and running theattachments.
The emails sent have the following characteristics:
Subject:
Ihr Passwort wurde geaendert!
Fehlerhafte Mailzustellung
Ihr Account wurde eingerichtet!
Your Updated Password!
Error in your eMail
Message:
Ihr Passwort wurde erfolgreich geaendert.
Ihre neuen Account-Daten und Passwort befinden sich gesichert im Anhang!
or
Diese Nachricht wurde Automatisch generiert.
- Ihre EMail konnte nicht empfangen oder gesendet werden.
or
Danke das Sie sich fuer uns entschieden haben
Um ihren neuen Account zu aktivieren, folgen sie der kurzen Anleitung im Anhang. Es sind nur 2 Schritte noetig!
or
You notified us that you have forgotten your password.
We have changed your password to a random sequence of letters and digits!
For more detailed information, see the attached password file ...
or
Your eMail has occurred an unknown error on our Server.
Please read your mail and check the text.
The full email is attached!
Attachment Names:
Passw_Data[RANDOM DIGITS].zip
PDaten[RANDOM DIGITS].zip
Mail_Data[RANDOM DIGITS].zip
Anleitung[RANDOM DIGITS].zip
The file inside the attachment is:
Winzipped_Data-Files.exe
Symantec customers have been protected since April 8, 2007 with the threat being detected as W32.Sober@mm.
Detections with Rapid Release Sequence of 67895 or greater (April 30, 2007) will detect this threat as W32.Sober.AA@mm.
Users of spam filtering will also be protected, since rules have been created to filter out these emails.
It has been a while since we last saw significant activity in thisfamily of worms. The last named variant was back in 2005. Just likefashion, things often go out of style, only to make a come back later.Could this be the come back of Sober?
As usual, the advice is to not open email attachments from unexpected sources, even if they appear to be legitimate.
About Security Response Blog
Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.
Filter by:
Recently on Twitter
- Strange Case of W32.Xpaj.B as Patient Zero http://t.co/8872Zu17 #virus24 May 2012
- A legitimate digitally signed file is misused in order to load #malware on to a computer: http://t.co/wZjNKKCh24 May 2012
- ZTE Score: Privilege of Escalation in a Nutshell http://t.co/Svj5T57F23 May 2012
- #Worm Posts on SNS Sites and Wipes out Rivals http://t.co/RWRIZdzU18 May 2012
- Beware #419 scams taking advantage of the #Facebook IPO: http://t.co/7TPOvR8w18 May 2012