Sober: 350 different faces for five worms

PandaLabs has detected the appearance of two new Sober worms (AF and AG), in addition to the AC, AD and AE variants identified over the last few days. However, the authors of these five mass-mailing worms are not stopping at distributing them in the usual way; but using hundreds of different compression formats -350 according to PandaLabs- and sending them manually as spam messages. Even though none of these malicious codes have caused a significant number of incidents, the fact that so many infected files exist is in itself a cause for concern, as the probability of receiving one of them is increased.

According to Luis Corrons, director of PandaLabs: “the new Sober worms cannot be considered particularly dangerous for any specific characteristic. The worrying thing is that they are being sent out in many different formats. Although these worms are the same, traditional antivirus programs need a vaccine for each compression format. Obviously, this makes the work of security companies more difficult, as they have to spend time obtaining a sample of all the variants in circulation and generating the corresponding updates, which they must then include in the antivirus signature file of each client.”

The aim of the authors of these worms is not yet clear: “Although we have detected hundreds of compressed files carrying one of the new Sober worms, it is true that they do not seem to be spreading widely. It seems more like a test that aims to find out which one is most difficult for security solutions to detect. However, at the moment there is an incredible number of infected email messages in circulation, and therefore, users must be careful with the messages they receive from unknown senders,” adds Luis Corrons.

The proactive TruPreventTM Technologies are effectively detecting the new variants of Sober. Luis Corrons confirms that “our proactive technologies not only block attacks from unknown threats, but also allow us to shorten the vulnerability window. This is because whenever TruPreventTM Technologies detect a new malicious code, they immediately send it to PandaLabs to identify it.”

The five new Sober worms are very similar to their predecessors. When the user runs an infected file, they send themselves out to all the email addresses they find in a large number of files stored on the computer. These messages have very variable characteristics, although their most outstanding feature is that they change the language of the message depending on the suffix of the address to which they are sent. A message will be sent in German to address with the suffix ‘.de’, ‘.li’, ‘.ch’ or ‘.at’ . If addresses end in a different suffix, the message will be sent in English.

Panda Software clients that don’t yet have TruPreventTM Technologies already have the updates available to install them along with their antivirus and ensure they have prevented protection against unknown viruses and intruders. For users with a different antivirus program installed, Panda TruPrevent(tm) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the antivirus is updated, decreasing the risk of infection. More information about TruPreventTM Technologies at

To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from

Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software’s website ( and complete the corresponding form.

For further information about these and other computer threats, visit Panda Software’s Encyclopedia:

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the ‘cut’ and ‘paste’ options to join the pieces of the URL.

———————————————————— To unsubscribe from Virus Alerts, please visit:

To contact with Panda Software, please visit: ————————————————————

Don't miss