Threat From Sober Variant Grows

By Matthew Hicks  |  Posted 2003-12-22 Print this article Print

Network Associates raises threat level to medium as incidents of the W32/Sober.C worm spread over the weekend.

A variant of the Sober mass-mailing worm appears to be gaining more traction as leading security vendors increase their threat levels. Increasing prevalence of the W32/Sober.C worm prompted Network Associates Inc. on Sunday to raise its risk assessment to medium from low. Sober.C is most active in Germany, where e-mail security vendor MessageLabs Inc. said 83 percent of samples had originated. Other security vendors all have rated Sober.Cs threat as low or medium. F-Secure Corp. tagged it a medium threat, ranking it a level 2 threat out of three. Symantec Corp. rated it as a level 2 threat out of five, or a low threat. MessageLabs also consider the risk "low," while saying that it has intercepted a "significant number of copies" of the worm.
Sober.C first appeared on Saturday, and New York-based MessageLabs reported its highest number of interceptions of the worm on Sunday.
Sober.C, once activated, e-mails itself to a users Microsoft Outlook address book and sends outgoing messages through its own SMTP engine, said Network Associates, of Santa Clara, Calif. Along with e-mail, Sober.C can spread through peer-to-peer filing sharing networks. Earlier this month, Jay Munro at PC Magazine warned that W32/Sober still showed signs of malignant life. To read the full story, click here. The infected messages can appear in either English or German and use a variety of subject lines and file attachment names. The attachments end in one of the following extensions: com, bat, cmd, pif, scr or exe. The executed worm displays a fake error message that begins with the attached file name in quotes. Sober.C, written in Visual Basic, can infect systems running Windows 2000, Windows 95, Windows 98, Windows NT and Windows Server 2003. Discuss This in the eWEEK Forum
Matthew Hicks As an online reporter for, Matt Hicks covers the fast-changing developments in Internet technologies. His coverage includes the growing field of Web conferencing software and services. With eight years as a business and technology journalist, Matt has gained insight into the market strategies of IT vendors as well as the needs of enterprise IT managers. He joined Ziff Davis in 1999 as a staff writer for the former Strategies section of eWEEK, where he wrote in-depth features about corporate strategies for e-business and enterprise software. In 2002, he moved to the News department at the magazine as a senior writer specializing in coverage of database software and enterprise networking. Later that year Matt started a yearlong fellowship in Washington, DC, after being awarded an American Political Science Association Congressional Fellowship for Journalist. As a fellow, he spent nine months working on policy issues, including technology policy, in for a Member of the U.S. House of Representatives. He rejoined Ziff Davis in August 2003 as a reporter dedicated to online coverage for Along with Web conferencing, he follows search engines, Web browsers, speech technology and the Internet domain-naming system.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel