ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Security threats Toolkit

Bilingual worm masquerades as Microsoft patch

Munir Kotadia ZDNet.co.uk

Published: 08 Mar 2004 12:40 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The latest variant of the mass-mailing Sober worm, discovered on Monday, masquerades as an official Microsoft patch for the MyDoom worm.

Sober.D is technically similar to its previous incarnation as Sober.C, where it used its own SMTP engine to send copies of itself to email addresses found on infected systems, but the latest version displays fake Microsoft warnings and error messages."It arrives in an email that pretends to be a patch to protect against a version of MyDoom," said senior technology consultant Graham Cluley of antivirus company Sophos. "The email appears to be a Microsoft patch so people will of course double-click on that attachment."

According to Finnish antivirus company F-Secure, Sober.D spreads either as an executable attachment or inside a password-protected Zip archive attached to an email. Once a user clicks on the file, the worm scans the PC to see if it has already been infected. If the system is clean, a small box appears with the message: "This patch has been successfully installed." If the system is already infected with Sober.D, the message says: "This patch does not need to be installed on this system."

Sober.D also changes its language depending on where it is being sent. If the recipient's email address has either a DE, CH, AT, LI, NL or BE extension, the text will be in German and the subject will read: "Microsoft Alarm: Bitte Lesen". Otherwise the subject line is in English and reads: "Microsoft Alert: Please Read!" Previous versions of Sober have also been biligual, said Sophos' Cluley.

This is not the first time that a worm has disguised itself as a Microsoft update. In January, the Xombe or Trojan.Xombe worm posed as a critical patch for Windows XP. This was believed to be a copycat of 2003's most successful worm, Swen, which is thought to be the first known worm to masquerade as a security warning from Microsoft.

Microsoft has always maintained that it does not email patches to users, so they should ignore any such messages.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
60 out of 138 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:










Related Jobs

IT Support/ Windows XP/ Server 2003/ Active Directory/ Backup

2nd Line Support/Windows XP, Southampton

C++ Engineer-Rugby-To 40,000

Sentry Posts Blog

Virtual Teams: Small Business Innovati...

Virtual Teams: Small Business Innovation Author: Eric Everson, Founder – MyMobiSafe.com As the founder of MyMobiSafe.com, I’ve found that because of our presence in the industry... More

Post a comment

Mobile Security and Innovation: An Ope...

Mobile Security and Innovation: An Open Case Author: Eric Everson, Founder MyMobiSafe.com The times are changing in the mobile industry as “big wireless” in the US Markets are calling... More

Post a comment

Government launches new e-crime unit

Ok, so this is outside of my main area of focus of sustainable and green tech but I do track some security issues too. I was at a meeting last week with Microsoft's security advisor... More

Post a comment

Featured Oracle Resources

Human Resources Management eBook

Supply Chain Management eBook

Design and Innovation Report

Economist Intelligence Unit Report - Technology and growth at mid-sized companies

See All White Papers