Sober.D is technically similar to its previous incarnation as Sober.C, where it used its own SMTP engine to send copies of itself to e-mail addresses found on infected systems, but the latest version displays fake Microsoft warnings and error messages.
"It arrives in an e-mail that pretends to be a patch to protect against a version of MyDoom," said senior technology consultant Graham Cluley of antivirus company Sophos. "The e-mail appears to be a Microsoft patch so people will of course double-click on that attachment."
According to Finnish antivirus company F-Secure, Sober.D spreads either as an executable attachment or inside a password-protected Zip archive attached to an e-mail. Once a user clicks on the file, the worm scans the PC to see if it has already been infected. If the system is clean, a small box appears with the message: "This patch has been successfully installed." If the system is already infected with Sober.D, the message says: "This patch does not need to be installed on this system."
Sober.D also changes its language depending on where it is being sent. If the recipient's e-mail address has either a DE, CH, AT, LI, NL or BE extension, the text will be in German and the subject will read: "Microsoft Alarm: Bitte Lesen". Otherwise the subject line is in English and reads: "Microsoft Alert: Please Read!" Previous versions of Sober have also been biligual, said Sophos' Cluley.
This is not the first time that a worm has disguised itself as a Microsoft update. In January, the Xombe or Trojan.Xombe worm posed as a critical patch for Windows XP. This was believed to be a copycat of 2003's most successful worm, Swen, which is thought to be the first known worm to masquerade as a security warning from Microsoft.
Microsoft has always maintained that it does not e-mail patches to users, so they should ignore any such messages. Additional information on its prevention and removal.
| 03/08/04
