As of November 19, 2004 at 9:31 AM GMT (ECT -1), TrendLabs has declared a MEDIUM risk virus alert in order to control the spread of this new SOBER variant. TrendLabs has received numerous infection reports indicating that this malware is spreading in the France, Germany, and Australia.
This mass-mailing worm arrives on a system as an email message and contains German and English text. The previous version of SOBER contained German text only. It propagates by sending copies of itself to certain email addresses, which it gathers from files on the system that have specific extension names.
Notably, it also avoids sending messages to email addresses that contain certain strings. It also slows systems, taking up bandwidth and in turn reducing employee productivity.
Utilizing social engineering techniques to fool users into opening the email, the title of the email often gives the impression that it is an undeliverable email or a notice regarding a user's password.
Additionally, to further entice innocent users the content of WORM_SOBER.I may include information suggesting the email has been scanned and found clean by a number of antivirus companies.
Interestingly, to try and ensure a successful infection, 2 executable files are dropped into the victims system, the second executable acting as a backup should one copy be terminated in memory by an antivirus product. The files are of zero in size and Previous variants only dropped one executable.
David Kopp, Head of TrendLabs EMEA said "Trend Micro urges companies to deploy stringent rule blocking and security policies in order to control these threats. Virus writers frequently use social engineering tactics and attachments with extensions such as exe, pif, and scr to hide their malicious code."
Trend Micro customers are protected through the latest pattern file, number 2.255.00. Customers of Outbreak Prevention Services should download OPP 134 (or later) to help protect against spread of this threat. For customers of Damage Cleanup Services, Damage Cleanup template # 457 should be downloaded to help with automated restoration of affected systems. Trend Micro Vulnerability Assessment and Network VirusWall pattern files will also support detection of WORM_SOBER.I
Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at housecall.trendmicro.com/ For more information, please visit here.
# # #
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has its European headquarters in Marlow, England, and business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro-europe.com
# # #
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.
For more information please contact:
Voor meer informatie:
Trend Micro
Elizabeth Blanch
Tel: +44 (0)1628 400513
E-mail: Elizabeth_Blanch@trendmicro.co.uk
Lammers van Toorenburg Benelux PR
Anja Breunis / Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: anja@lvtpr.nl / annegees@lvtpr.nl