Security threats Toolkit

Sober worm turns to Paris

Tags:
Viruses,
FBI,
Paris Hilton,
Spam

John Borland CNET News

Published: 23 Nov 2005 09:45 GMT

There is no Easter Bunny, and that's not a real Paris Hilton video in your email inbox. Nor is the FBI likely to be emailing you to ask you questions about visiting illegal Web sites.

A new variant of the Sober worm made the network rounds Tuesday, attempting to entice people into clicking on attachments purporting to be threats from the law enforcement agency or videos clips of the hotel heiress and her reality TV co-star Nicole Richie.

Antivirus companies said the worm gained some traction over the weekend and on Monday. It's a minor modification of the "Sober" virus that has flared up several times over the past year. But this latest variant, graded as a medium-level threat, appeared to be trailing off as security providers have responded.

"This one is virulent and will reproduce itself easily but does not have much of a payload," said David Perry, the global director of education at antivirus company Trend Micro. "For the time being, this particular strain is probably done."

Some antivirus companies said the worm was still spreading fast, however. In a blog posting, security company F-Secure said Internet companies have seen "several millions of infected emails" over the course of hours.

"The numbers we're now seeing... are just huge," wrote F-Secure Chief Research Officer Mikko Hypponen. "This is the largest email worm outbreak of the year, so far."

One version of the e-mail carrying the worm appears to be a letter from the FBI saying the agency has found evidence that the computer user has been visiting illegal Web sites. It asks the recipient to click on the attachment to answer questions. The FBI released a warning on Tuesday saying it never sends unsolicited e-mails.

"The FBI takes this matter seriously and is investigating," the agency said in its statement. "Users are instructed to delete the e-mail without opening it."

Another version of the e-mail used a message purporting to be from the Central Intelligence Agency. A third, a German-language variant, contained a threatening message from a German law enforcement agency.

A separate version purports to offer a download manager for "video clips, pictures and more" of Hilton and Richie. All operate the same way, once the attachment is activated, however.

If activated, the worm drops several files onto a computer and searches for e-mail addresses stored in address books or elsewhere in memory and sends copies of itself to those destinations. If it finds Microsoft's anti-spyware and antivirus software running, it turns the protections off.

Several other variants of a different virus, dubbed "Mytob," are also making the rounds. The e-mails carrying them purport to be a message from an e-mail service provider or from support staff providing notification about a changed password or suspended account.

Antivirus companies rate the danger of this worm as "low" but, as always, advise against clicking on unknown attachments to e-mails.