Wednesday, April 25, 2007

Sober Worm (12/2005)

Q: I'm getting messages supposedly from the FBI and CIA accusing me of going to illegal Web sites. I’m sure I have a virus but my antivirus won’t catch it. How do I clean this stuff off my computer?
A: Does your email sound something like this? “Dear Sir or Madam, We have logged your IP-address on more than 30 illegal Websites. Important: Please answer our questions! The list of questions are attached. Yours faithfully, Steven Allison, Federal Bureau of Investigation-FBI”
No, I can’t read your mind - I am getting tons of these, too. I’m also getting lots of “Registration Confirmation”, Paris Hilton-related stuff, “password requests” and various other emails with suspicious attachments. I watch enough television to know that the first sign of the FBI or CIA’s interest in me would be an abrupt knock on the door or perhaps a knock upside my head -- not a friendly email warning me of their intent.

All these messages are the result of a variant of a two year-old virus named “Sober.” The author of the Sober worm is widely believed to be a German dude with entirely too much time on his hands. At last count, there are about 20 variants of the 2 year-old worm. The latest incarnation started spreading a couple of weeks ago and has become the largest email worm outbreak of the year.

If you have opened the attachment on an unprotected computer, you won’t notice a single thing wrong while the worm busily sends out infected emails to everyone in your address book.

The worm can also open a “back door” into your system which can allow the virus author remote access to the innards of your computer. It can also capture passwords entered through Internet Explorer and Outlook.

This is a serious threat but one that is very easily avoided. As long as you didn’t open the “list of questions” the “FBI” sent to you, you probably don’t have the virus. If you did open the attachment, then any current antivirus program should prevent any infection. You do have current antivirus software installed in your computer, right? Good.

Unfortunately, you will still get plenty of infected emails from the “FBI” and “CIA.” That is because someone with your address in their address book has a Sober infection. The virus is sending the infection from your friend’s computer but it changes the “From” line to some random address so that there is no way to track where the messages are actually coming from. There are lots of viruses that work this same way.

I know of nothing you can do to prevent receiving them but your antivirus program should be placing all of them in a separate area reserved for infected files.

The bottom line: Don't open spam. Don't open attachments. Just delete the stuff and keep your anti-virus software up-to-date.

No comments: