Worm Masquerades as Microsoft Patch – 2

A new worm purporting to contain a patch to defend against MyDoom is attacking Windows machines throughout Europe and parts of North America.

Sober.D appeared Sunday and began spreading in Germany and the United Kingdom. The worm arrives in an e-mail message with a subject line of “Microsoft Alert: Please Read!” and carries a sending address with a Microsoft domain. The domain extension on the messages are typically from Germany, Israel, Switzerland or Austria.

The new worm comes a week after the largest, most concentrated onslaught of virus activity in recent memory, which included the appearances of 16 new viruses within about 10 days. Most of those new threats were variants of existing viruses, including MyDoom. The original version of Sober hit the Internet last October and never amounted to much.

Many of the samples of the new variant that antivirus vendors have seen so far have been written in German. The body of the infected message reads:

“New MyDoom Virus Variant Detected! A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet. Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468. Protection: Please download this digitally signed attachment. This Update includes the functionality of previously released patches.”

The message includes a file attachment that is either an executable or a Zip archive, according to Network Associates Inc.s analysis of Sober.D. Once installed on a machine, the virus will display a phony error message indicating either that the fake patch has been installed or does not need to be installed on the PC.

Sober.D then scours the machines hard drive for e-mail addresses and begins mailing itself out.

Officials at NAI, based in Santa Clara, Calif., said they had seen about 100 samples of Sober.D as of early Monday morning.