Sober Virus Clones Taunt AV Vendors

A new batch of Sober virus clones has been spammed around the world to seed botnets for malicious use, anti-virus vendors warned Tuesday.

The appearance of the latest threat comes 24 hours after law enforcement authorities in Germany predicted the Sober mutants would appear as e-mail attachments in German or English.

According to F-Secure Corp., an anti-virus vendor based in Finland, at least four new versions of the virus have been detected. All are capable of disabling anti-virus programs, dropping a Trojan horse and opening a backdoor to connect to a remote server.

The Sober threat first appeared on the Internet in October 2003 and has been used in recent months to spread German right-wing extremist nationalism.

Virus writers have also used the excitement associated with next years World Cup soccer tournament to trick users into executing the virus.

In the latest attack, F-Secure researcher Alexey Podrezov said the virus writers left a message in the code that taunts anti-virus vendors.

“This time the author of Sober worm changed the encryption algorithm for text strings in the worms body. And he included a message for anti-virus vendors in the worms body basically saying that Use your debuggers, its fun,” Podrezov said in an advisory.

/zimages/4/28571.gifRead more here about the Sober virus preying on soccer fans.

The latest version also creates several empty files in the Windows System folder to deactivate previous Sober variants.

“This particular Sober variant checks for the file called filesms.fms, and if such file is found, the worm deactivates itself,” Podrezov said.

Upon infection, the virus deactivates security programs installed on the computer, including Microsoft Corp.s Windows AntiSpyware and McAfee Inc.s Stinger.

The virus code includes instructions to use Port 25 to send e-mails and Port 587 to connect to certain Yahoo servers.

McAfees AVERT (Anti-Virus Emergency Response Team) has also spotted four new Sober variants—W32/[email protected], W32/[email protected], W32/[email protected] and W32/[email protected]

McAfee rates the risk to corporate and home computers as “low” and published removal instructions to help affected users.

F-Secure, Symantec Corp. and other anti-virus vendors have also added signatures for the latest variants.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.