Kaspersky Lab analysts warn that three new email worm variants active

Kaspersky Lab, a leading developer of solutions that protect against viruses, Trojans, worms, hacker attacks and spam, announces that the company’s virus analysts have detected three new variants of Email-Worm.Win32.Sober — Sober.u, Sober.v, and Sober.w. The three worms are modifications of the same program which has been repacked. A large number of samples have been intercepted in mail traffic, which confirms that the epidemic was caused by mass spamming of infected messages.

The new variants of Sober arrive as an attachment to infected messages. The attachment, which contains the body of the worm, is approximately 130KB in size. Although infected messages either have a random subject and text, or no subject or text at all, they can be recognized by the attachment name.

The attachment names are chosen from the following list:

* Exceltab-packed_List.exe
* Liste.zip
* Reg-List-Dat_Packer2.exe
* reg_text.zip
* Word-Text.zip
* Word-Text_packedList.exe
* Word-Text_packedList.zip


The worm is only activated if the recipient clicks on the attachment. Once launched, the worm causes a false error message, “WinZip Self-Extractor. WinZip_Data_Module is missing ~Error”, to be displayed on screen.

The new variants of Sober copy themselves to the Windows system directory, and then register these files in the system registry, ensuring that a copy of the worm will be launched each time Windows is rebooted on the infected machine. In order to propagate, the worm sends itself to email addresses harvested from the victim machine. Users are encouraged to be cautious, and not to open suspicious email or attachments.

The Kaspersky(r) Anti-Virus databases have been updated with detection for Sober.u, Sober.v, and Sober.w. Kaspersky Lab urges users to update their antivirus databases as soon as possible. Further information about the new Sober variants will be available in the Kaspersky Virus Encyclopaedia.