As if to counteract the traditional warnings against seasonal overindulgence, computer users are this week being warned against getting sober. A new mass mailing worm, dubbed sober (full name W32/Sober.c@MM), has been tagged as medium risk as it is considered increasingly prevalent.
New computer users are thought to be especially at risk, as they may be unfamiliar with procedures for handling and removing viruses. The worm has been identified and named by several antivirus vendors as follows: Sober.C (F-Secure), W32.Sober.C@mm (Symantec) and WORM_SOBER.C (Trend).
The worm propagates itself by harvesting target email addresses from an affected machine. Outgoing messages are constructed using the worm’s own SMTP engine. The messages may be written in either English or German, and the attachment filename can vary. Mail messages themselves are formatted with various body contents and attachment filenames to avoid detection. Users should watch out for mails carrying some unseasonal subject lines such as: “you are an idiot”, “why me?”, “I hate you”, “Preliminary investigation were started”, “Your IP was logged” and “You use illegal File Sharing”.
According to virus information from the McAfee security website, two processes run on the victim’s machine in order to ensure the worm stays resident in the system memory. If one of the processes is halted for any reason, the other process restarts it very quickly.
Attachments with emails carrying the worm carry a variety of names, thought to lure users into thinking they have been sent a gaming application. Typical examples include: www.onlinegamerspro-worm.com, www.freegames4you-gzone.com, www.anime4allfree.com or www.boards4all-terror432.com.
By Gordon Smith