Security companies have warned of a new version of the Sober worm that appeared on the morning of February 21. Sober is a contagious virus that spreads via e-mail. The new version of Sober has a very fast infection rate and has hit the masses of computers in the US and Europe.
Britain's MessageLabs security company has detected the W32.Sober-K-mm at 5:01 pm GMT. MessageLabs found 663 Sober infections in the first hour after the virus appeared, and after 11 hours GMT, there were 2,200 cases of infection.
Max Schipka, a senior security researcher at MessageLabs, said that the level of infection was so severe, that the new Sober variant was much more versatile than previous versions.
This latest version of Sober comes first in Germany, mid-morning has appeared in France, England and finally in the United States. The W32.Sober-K-mm seems to have been created by a hacker himself, the first Sober version appeared in October 2003 and also originated in Germany.
"I do not know whether the worm's code is distributed on the Internet," Max Schipka said. It's written in Visual Basic, which is quite difficult to work with using C ++ or Assembler, so I think the virus is one of the authors. "
The W32.Sober-K-mm itself propagates itself through email attachments, which are capable of generating random headlines and e-mail content in English. German, depending on the e-mail address it collects. Headlines often contain content like "Alert! New Sober worm "," Paris Hilton Sex Videos "," You visit illegal websites "," Your new password "...
This worm has many ways to create compelling messages to entice users to open attachments in .zip format. Some e-mails impersonating security companies have content that requires users to update their program against the latest version of ... Sober's key, some more "liver" than impersonating the FBI's security bulletin. .
When the user opens the attachment, the new Sober will create a variety of action files named csrss.exe, winlogon.exe and smss.exe and immediately jump to the SoftwareMicrosoftWindowsCurrentVersionRun registry entry so that these files are Activated at startup.
The worm also reflects itself in a text file created by itself, and security experts do not understand why this "self-disclosure" text file appears. a "security fault" of Sober himself.
