Sober Worm Spreads

By Jay Munro  |  Posted 2003-11-06 Print this article Print

The W32.Sober worm continues to spread after its initial release in Germany. The worm propagates using its own SMTP engine and may claim to be a fix from Microsoft or antivirus vendors.

This summers crop of mass mailing DCOM- and RPC-exploiting worms has made "get the patch" a mantra for most savvy users. However, the latest worm throws that reliable action into the gray area, especially for novice users. Thats because the latest batch of worms are posing as e-mailed fixes from Microsoft. W32/Dumaru (several variants),and W32/Swen.A, are multi-level or blended threats that hit your email box demanding that you "Install this patch immediately", among other subject lines. If your antivirus software is a little out of date, and doesnt catch these recent threats, you could be in trouble since these worms will disable most AV processes. The latest up and coming threat is W32.Sober, which appears to have originated in Germany and is quickly spreading through Europe and the US.

While business and consumers deal with the latest virus scourge, several sources reported last week that US State department, of all places, got hit Sept 24th. An unclassified section of the State Departments intranet system was shut down for around nine hours by the W32/Welchia worm. W32/Welchia, first reported in August, is an almost altruistic worm, disabling and deleting MSBlast.exe from a previously W32/Blaster.worm infected machine, and installing itself. It then attempts to download and update the system with Microsofts DCOM/RPC vulnerability patch, preventing re-infection by Blaster.

Non-viral, malicious software (malware) in the form of spyware (keyboard loggers, URL trackers), adware (browser plug-ins that track and pop up advertising) and porn dialers (dials 900 or foreign long distance numbers at exorbitant rates) are on the increase and just as troublesome as viruses. McAfee and Symantec have recently added to their latest antivirus products, McAfee VirusScan 8 and Norton AntiVirus 2004 detection for these "extended threats". The fledgling detection and elimination procedures found in these products may be less sophisticated than spyware detectors like Lava Softwares Adaware and SpyBot Search and Destroy, but with their wider coverage of consumer markets they should help alleviate the larger infection problem.

Microsoft made two announcements of note: The release of the Update Rollup for Windows XP, and that they are going from their weekly patch release schedule to a monthly one. This is a relief to patch inundated IT departments that need to test all code before rollout to their users. Microsoft said however, they will still release emergency updates when needed.

At press time, we started tracking a new worm, W32/Mimail.C and its varieties. This destructive worm is currently spreading quickly, and has been added to most venders virus definition lists. We will be detailing the threat and fix next week. To read the full PC Magazine Newsletter, click here.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel