The notorious Sober worm has been revived, this time as a new variant disguised as an e-mail with the subject line, “I’ve got your e-mail on my account.”
The new worm, named Sober.M spreads itself by pretending to be an e-mail that comes from a non-English speaker trying to correct an e-mail forwarding error. It reads: “Someone is sending your private e-mails on my address. It’s probably an e-mail provider error! At time, I’ve got over 10 mails on my account, but the recipient are you.”
The e-mail also consists of a compressed file, called your_text.zip, which supposedly contains the misdirected messages copied by the message sender into a Windows text editor. The worm resides in the file and automatically activates itself once the file is downloaded.
After Sober.M penetrates a machine, it sends the e-mail address of the victim back to the worm author — a technique called harvesting, which is widely popular with spammers.
“It looks like the virus writer is deliberately using broken English to [convince] people the e-mail is not a virus,” said Graham Cluley, senior technology consultant at Sophos.
According to Sophos, Sober.M is spreading fast and is classified as the fifth most reported virus. Most security vendors have already updated their offerings and users are advised to update their anti-virus tools immediately.
The e-mail message appears in German or English and the worm affects systems running Microsoft Windows.
