The New Sober Worms Are Being Distributed In Dozens Of Different Formats

PandaLabs has detected the reappearance of the Sober worm in the form of three new variants, Sober.AC, AD and AE, new members of this large family of malicious code that can spread in email messages written in English or German. These email messages have variable characteristics and contain a compressed file carrying a copy of the worm.

As on previous occasions, their author or authors have initially distributed these worms manually, although in this case, they have used dozens of compression formats for the file carrying Sober. “The aim is no other than to avoid detection by traditional antivirus programs. Although it is the same malicious code, it is often necessary to use different vaccines to block the same worm, precisely because of the format in which it has been compressed. Therefore, the more formats used, the more vaccines need to be developed and the longer the time needed to generate them all. This is the time that the authors of these worms are trying to take advantage of to infected as many computers as possible”, explains Luis Corrons, director of PandaLabs.

The proactive TruPreventTM Technologies have effectively detected these variants of Sober in all the file formats they have used up until now, so systems with these technologies installed have been protected from the moment that each of these malicious codes appeared. “These types of infections, with a large number of variants released in a very short space of time, are when proactive protection is most effective, as it does not need our intervention with a signature file in order to react. In fact, since they were released in August 2004 our technologies have blocked attacks from over 23,000 different unidentified threats. This gives you an idea of the huge virus activity in the Internet”, says Luis Corrons.

When it infects computers, Sober automatically sends itself out to all the email addresses it finds in a large number of files stored on the computer. These messages have variable subjects, file names and languages. The worm will send a message in German to address with the suffix ‘.de’ (Germany), ‘.li’ (Liechtenstein), ‘.ch’ (Switzerland) or ‘.at’ (Austria). If addresses end in a different suffix, the message will be sent in English.




Share this