Sober worm offshoot lurks behind class photo

By Ina Fried
Staff Writer, CNET News.com

Published: October 6, 2005, 12:41 PM PDT

TalkBack E-mail Print TrackBack

Now that's a really bad high-school photo.

A new variant of the Sober e-mail worm has started spreading as an attachment that claims to be an old class photo sent by a schoolmate. But if recipients open the file, they don't see a picture of themselves in braces. Instead, a worm tries to steal their information and then mail itself to others.

Antivirus software maker Sophos said the Sober variant is now the second most commonly reported virus, accounting for approximately 10 percent of all reports in the last 12 hours.

"Playing off of flattery, nostalgia and the success of Web sites (like Friends Reunited and Classmates Online), this dangerous virus has only one aim: to steal information from as many victims as it can," Gregg Mastoras, a senior security analyst at Sophos, said in a statement.

But others downplayed the risk. Symantec, for example, rated the bug a "2" on its scale of 1 to 5, with 5 being the most threatening.

"We're seeing a number of submissions--but not anything overwhelming," said Eric Chien, principal software engineer at Symantec Security Response. "It's not going to be a Blaster," he added, referring to the MSBlast worm outbreak.

Chien said there are two reasons for this. First, both companies and individuals are becoming more sophisticated in their awareness of threats. Businesses are blocking e-mail attachments that carry executable files, even those that are compressed, while individuals are treating unsolicited attachments with more suspicion, even if they recognize the sender.

"I think people are definitely more tuned in to your classic e-mail worm," Chien said.

Second, virus writers are increasingly putting their energy toward more targeted attacks, often those aimed at quietly making money through theft rather than attracting infamy through a mass outbreak. That said, Chien said he doesn't see the classic mass-mailing worm going away.

"We'll still have them," he said. "They will sort of be that background noise."

Sober variants, in particular, have topped the ranks this year, with one version spewing hate messages and another offering free World Cup tickets. Although it is making a comeback this year, the bug has been around since 2003.

As is typical, the virus is getting different names from different companies. Sophos is calling it Sober-O, Secunia is calling it Sober.R, and Symantec is calling it W32.SoberQ@mm. But under a new identifier system designed avoid name confusion, it is known by all as CME-151.

"It's less sexy of a name, but at least it provides a cross-reference for vendors and customers," Chien said.

TalkBack E-mail Print TrackBack

Read more on this story's topics and companies

• Add to My News | Create an alert Viruses and worms

TalkBack

Did you know?

Select a tab below to set your default view.