Security threats Toolkit

Sober climbs November worm charts

Alorie Gilbert CNET News.com

Published: 01 Dec 2005 09:05 GMT

Malicious messages that purport to be from the National Hi-Tech Crime Unit (NHCTU), the CIA or Paris Hilton generated the vast majority of virus-laden email traffic in November, according to security companies.

The emails carry new variants of the Sober worm in an attachment which, when opened, infects the recipient's computer. The worm then attempts to disable antivirus programs and send copies of itself to any email addresses found on the hard drive.

The Sober worm still accounts for close to 43 percent of all viruses being reported to the British antivirus firm Sophos. At its peak, it accounted for one out of every 13 emails relayed over the Internet, the group said on Wednesday.

As the most widespread variant since Sober first appeared about two years ago, the new offshoot has threatened to overwhelm email servers and slow message delivery, Sophos said. Postini, another computer security firm, estimates that the latest Sober outbreak is twice as large as the biggest previous attack.

Infected emails carry a variety of messages. One claims to be a message from the FBI or CIA, while another similar one tailored for the UK market claims to come from the NHCTU. It informs recipients that they've visited illegal Web sites and instructs them to answer questions in the email's attachment. Another promises video clips of socialites Paris Hilton and Nicole Richie, while a German version references that country's version of the TV show "Who Wants To Be A millionare".

"Mocking the feds is a sure-fire way of goading the authorities, and you can't help but wonder whether the author is desperate to be caught," Carole Theriault, senior security consultant at Sophos, said in a statement.

Sophos also reported that close to 3 percent of all emails contain viruses. The firm collects data from a global network of monitoring stations.