Sophos Warns Of Bilingual Bogus Microsoft Virus Fix

Sophos researchers have warned customers to be wary of a bilingual bogus Microsoft virus fix which claims to protect against the MyDoom worm.

The Sober-D worm (W32/Sober-D, also known as W32/Roca-A), has already been sighted several times in the wild, and arrives as an email with the subject line ‘Microsoft Alert: Please Read!’. The message text claims that a new variant of the MyDoom worm has been discovered and is spreading rapidly. It claims ‘Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468’ and asks computer users to download an attachment which will apparently update protection against the worm.

The email attachment is a ZIP file which contains the Sober-D worm. If the worm determines it is being sent to a German email address, it presents itself in German language instead of English.

“This latest incarnation of the Sober worm seems to be preying on the current paranoia about email security,” said Graham Cluley, senior technology consultant at Sophos. “The last couple of weeks has seen an endless stream of new viruses spreading in the wild including two variants of the MyDoom worm. But computer users shouldn’t be tricked into trusting security fixes which arrive via email – the only place from which to download a patch is from the appropriate vendor’s website.”

“As the Sober-C worm has shown in recent months, viruses which use more than one language when communicating with users can be more successful at not raising suspicion,” continued Cluley. “Companies should ensure that their anti-virus software is automatically updated, and screen for dangerous filetypes at their email perimeter.”

More information about the Sober-D/ Roca-A worm can be found at Sophos web site.