Sober Virus Preys on World Cup Soccer Fans

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Theres no such thing as a free World Cup soccer ticket, especially those that arrive via unsolicited e-mails.

Thats the message from anti-virus vendors flagging a new variant of the Sober mass-mailing worm that spreads by promising ducats to the worlds biggest sporting event.

According to a warning from McAfee Inc., the latest mutant targets computer users in Germany with a slick social engineering trick that piggybacks on the popularity of the World Cup tournament, which begins in Munich next June.

The virus arrives as a .zip attachment with German text announcing that the recipient has won tickets for the 64 World Cup games. The text prompts the user to run the attachment for details on how to pick up the winning tickets.

When the .zip archive is extracted and the contained .pif file is manually executed, McAfee said the virus has been programmed to display a fake error message before copying itself to a newly created Windows directory and creating registry keys to load itself at system startup.

The worm attempts to contact different time servers and propagate by harvesting e-mail addresses from an infected system.

According to McAfee virus research manager Craig Schmugar, the latest outbreak began in Europe early Monday morning and quickly spread to the United States.

“This is a classic social engineering trick, and we know its working because the phone number included in the virus text has been inundated with calls,” he added.

/zimages/6/28571.gifRead more here about the Sober worm.

Schmugar told Ziff Davis Internet News that the high rate of infection has forced McAfee to raise its risk assessment to “medium.”

The company plans to release an updated version of McAfee AVERT Stinger, the free standalone utility used to detect and remove specific viruses.

Trend Micro Inc. late Monday released a separate alert with a “medium risk” warning and warned users to avoid e-mails that purport to come from FIFA (Fédération Internationale de Football Association), the international governing body for soccer.

“Once the user is infected with [the worm], the program uses the Outlook address book to forward itself to more potential victims. Computer users are cautioned to delete this e-mail immediately if received,” Trend Micro said.

Trend Micro and Symantec Corp have both provided removal instructions for infected users.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.