New worm masquerading as Microsoft security update

9 Mar 2004

A new worm variant is posing as a message from Microsoft in an attempt to fool users into clicking on the attachment and triggering the payload.

Spotted yesterday, the new Sober.D worm pretends to be an update from Microsoft that is supposed to remove the MyDoom worm. Messages appear in English and German. Sober.D, also known as W32/Roca-A, spreads itself as an EXE attachment or inside a ZIP archive.

In English, the mail’s subject line reads as follows: “Microsoft Alert: Please Read!”. The body of the message goes on to explain that the “digitally signed attachment” is a way to prevent the spread of the MyDoom worm.

Sober.D is written in Visual Basic. According to the antivirus software provider F-Secure, the worm’s file is packed with a modified version of UPX file compressor. It has its own SMTP engine that it uses to send out infected e-mail messages and scans files with certain extensions on all hard disks to harvest e-mail addresses.

The sender’s address is faked and can be one of nine possible options, such as Info, UpDate, Help, Patch and Security. The .EXE or .ZIP attachment is similarly named to try and trick unsuspecting users; variants include MS-Security and sys-patch, all designed to make it appear like a legitimate message.

By Gordon Smith