[ISN] Sober worm offshoot trades on Paris Hilton, FBI

From: InfoSec News (isn@private)
Date: Tue Nov 22 2005 - 23:05:37 PST


http://news.com.com/Sober+worm+offshoot+trades+on+Paris+Hilton%2C+FBI/2100-7349_3-5967601.html

By John Borland 
Staff Writer, CNET News.com
November 22, 2005

There is no Easter Bunny, and that's not a real Paris Hilton video in
your e-mail box. Nor is the FBI likely to be e-mailing you to ask you
questions about visiting illegal Web sites.

A new variant of the Sober worm made the network rounds Tuesday,
attempting to entice people into clicking on attachments purporting to
be threats from the law enforcement agency or videos clips of the
hotel heiress and her reality TV co-star Nicole Richie.

Antivirus companies said the worm gained some traction over the
weekend and on Monday. It's a minor modification of the "Sober" virus
that has flared up several times over the past year. But this latest
variant, graded as a medium-level threat, appeared to be trailing off
as security providers have responded.

"This one is virulent and will reproduce itself easily but does not
have much of a payload," said David Perry, the global director of
education at antivirus company Trend Micro. "For the time being, this
particular strain is probably done."

Some antivirus companies said the worm was still spreading fast,
however. In a blog posting, security company F-Secure said Internet
companies have seen "several millions of infected emails" over the
course of hours.

"The numbers we're now seeing...are just huge," wrote F-Secure Chief
Research Officer Mikko Hypponen. "This is the largest email worm
outbreak of the year, so far."

One version of the e-mail carrying the worm appears to be a letter
from the FBI saying the agency has found evidence that the computer
user has been visiting illegal Web sites. It asks the recipient to
click on the attachment to answer questions.

The FBI released a warning on Tuesday saying it never sends
unsolicited e-mails.

"The FBI takes this matter seriously and is investigating," the agency
said in its statement. "Users are instructed to delete the e-mail
without opening it."

Another version of the e-mail used a message purporting to be from the
Central Intelligence Agency. A third, a German-language variant,
contained a threatening message from a German law enforcement agency.

A separate version purports to offer a download manager for "video
clips, pictures and more" of Hilton and Richie. All operate the same
way, once the attachment is activated, however.

If activated, the worm drops several files onto a computer and
searches for e-mail addresses stored in address books or elsewhere in
memory and sends copies of itself to those destinations. If it finds
Microsoft's anti-spyware and antivirus software running, it turns the
protections off.

Several other variants of a different virus, dubbed "Mytob," are also
making the rounds. The e-mails carrying them purport to be a message
from an e-mail service provider or from support staff providing
notification about a changed password or suspended account.

Antivirus companies rate the danger of this worm as "low," but as
always, advise against clicking on unknown attachments to e-mails.



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Tue Nov 22 2005 - 23:19:41 PST