- CNET NETWORKS UK BUSINESS SITES:
- atlarge.com
- BNET UK
- silicon.com
- SmartPlanet.com
- ZDNet.co.uk
We've seen this tactic before... but that doesn't mean users won't click it...
Published: 9 March 2004 08:35 GMT
The latest variant of the mass-mailing Sober worm, discovered on Monday, masquerades as an official Microsoft patch for the MyDoom worm.
Sober.D is technically similar to its previous incarnation as Sober.C, where it used its own SMTP engine to send copies of itself to email addresses found on infected systems, but the latest version displays fake Microsoft warnings and error messages.
Graham Cluley, senior technology consultant at Sophos, said: "It arrives in an email that pretends to be a patch to protect against a version of MyDoom. The email appears to be a Microsoft patch so people will of course double-click on that attachment."
According to Finnish antivirus company F-Secure, Sober.D spreads either as an executable attachment or inside a password-protected Zip archive attached to an email. Once a user clicks on the file, the worm scans the PC to see if it has already been infected. If the system is clean, a small box appears with the message: "This patch has been successfully installed." If the system is already infected with Sober.D, the message says: "This patch does not need to be installed on this system."
Sober.D also changes its language depending on where it is being sent. If the recipient's email address has either a .de, .ch, .at, .li, .nl or .be extension, the text will be in German and the subject will read: "Microsoft Alarm: Bitte Lesen". Otherwise the subject line is in English and reads: "Microsoft Alert: Please Read!" Previous versions of Sober have also been biligual, said Sophos' Cluley.
This is not the first time that a worm has disguised itself as a Microsoft update. In January, the Xombe or Trojan.Xombe worm posed as a critical patch for Windows XP. This was believed to be a copycat of 2003's most successful worm, Swen, which is thought to be the first known worm to masquerade as a security warning from Microsoft.
Microsoft has always maintained that it does not email patches to users, so they should ignore any such messages.
Munir Kotadia writes for ZDNet UK
This position will be a subject matter expert in key areas of FS able to: - Conduct meaningful business conversations with both client executives and ...
Other main functions of the role are troubleshooting & resolving cross platform message flow related issues, problem resolution & estate & patch ...
You will be supporting the global messaging and Active Directory infrastructure, troubleshoot and resolve cross platform message flow related issues ...
CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.
Stories from the web...
Copyright ©1995-2008 CNET Networks, Inc. All rights reserved. Top of page
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
RSS Feeds
Peter Cochrane Peter Cochrane's Blog: Is convergence a fiction? Or could it finally be happening…
Clive Longbottom Quocirca's Straight Talking: A game of two halves Microsoft Virtualisation scores while its SOA bores...