A new virus threat called Sober could be causing a few headaches today, according to antivirus researchers.
The Sober worm, spotted in the last 12 hours, is a traditional attachment-based piece of malware that uses social engineering to trick people into activating its payload.
In contrast with the Flea virus discovered last week, which so far appears to have failed to bite, Sober hides its code in an HTML email. Microsoft Outlook users can activate the payload just by opening the email.
"We haven't seen many reports of Flea at all," said Graham Cluley, senior analyst at antivirus specialist Sophos.
"Meanwhile the Sober worm has been around for a few hours and we've seen several reports of infections. It surfaced about midnight and is spreading through email systems as people log on and start checking their mail."
Sober arrives as an email in English or German with the payload coming as an attachment. It uses a wide variety of headers, promising that the attachment contains everything from pornography to an antivirus patch.
Once activated the malware installs itself as 'drv.exe', 'similare.exe' or 'systemchk.exe'. It then mails itself to any found addresses using its own SMTP engine. The outgoing emails have spoofed headers, which makes backtracking the virus source more difficult.
The Sober worm has also been upgraded to the same threat level as Flea by antivirus firm F-Secure.
Jason Holloway, general manager of F-Secure, said: "There's been some growth in Flea infections. Its method of propagation is quite unusual but it's no SoBig.
"The way it was initially spread doomed it from the start - it started from a low infection base and we found a solution quickly."
source:
vnunet
