Latest Sober mutant targets soccer fans

Promise of World Cup tickets hides deadly payload

Robert Jaques, vnunet.com 03 May 2005

Security experts have warned of a newly discovered mutant of the Sober worm which attempts to lure users into opening infected attachments by promising World Cup football tickets.

McAfee's Avert antivirus division has branded the W32/Sober.p@MM worm, also known as Sober.p, as "prolific".

The mass-mailing threat contains its own SMTP engine to construct outgoing messages, which are written in German or English.

It harvests addresses from local files to send itself, producing emails with a spoofed 'From' address.

"The attachment comes in the form of a .zip file that contains an executable file named 'winzipped-text_data.txt.pif'," said the Avert warning.

"The filename contains a dual extension: the first is .txt, followed by many spaces then .pif. When the Zip archive is extracted and the .pif file is manually executed, the virus may display a fake error message."

However, Avert said that users would need to manually extract the executable from the .zip file and manually run the attachment in order to be infected.

The following German text, with the spoofed sender listed as Fifa, has been detected in versions of the infection currently spreading in the wild: "Tickets fur die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei."

An example of a randomly generated English message is as follows:

From: (address is spoofed)
Subject: Your Password
Body: Account and Password Information are attached!
Visit: http://www/.[sender's domain]
*** AntiVirus: No Virus found
*** "[recipient's domain] " Anti-Virus***
http://www/.[recipient's domain]

More information on Sober.p and how to remove it can be found at McAfee's website here.

See also: