Sober worm returns and uses social engineering techniques

PandaLabs has recorded the appearance of a new variant of the Sober worm, Sober.Y, which spreads using social engineering techniques in emails sent in English or German.

The worm uses two types of mail to propagate: Firstly, an email in English with the subject “Your new password,” which tries to make users think it is notification of a change of password, asking them to check the data in an attached file, pword_change.zip.

Secondly, an email written in German claiming to contain a photograph of old school friends in the file KlassenFoto.zip. Both compressed files contain the executable PW_Klass.Pic.packed-bitmap.exe, which is a copy of the worm itself.

If the file is run, a false CRC error is displayed, even though the action has already started. The worm collects email addresses from files with certain extensions on the compromised computer, and sends itself out to them in the emails described above using its own SMTP engine. It will only use the German version of the email if the addresses end in .de (Germany), .ch (Switzerland), .at (Austria), or .li (Lichtenstein).

Even though the number of incidents recorded is low, this worm has significant propagation potential.