A new variant of the bilingual Sober family of mass-mailers has emerged.

8 March 2004

W32/Sober.D@mm is a new variant of the Sober family of mass-mailing worms that was first detected by FRISK Software virus analysts late on sunday evening, 7 March 2004.

Previous Sober variants gained their largest distribution in Germany and this newest one is no exception. As was with its predecessors, e-mails carrying this variant are spreading in both German and English language versions.

The e-mails carrying W32/Sober.D@mm falsely claim to be from Microsoft and to provide an update to protect users from a new version of Mydoom. On infection Sober.D displays a fake message stating that the patch has been successfully installed. The worm then scans the infected computer's hard drive for files with pre-defined filename extentions. It harvests e-mail addresses from these files and susequently spreads further by sending itself to these harvested addresses using its own SMTP engine.

The English language e-mail contains minor variations on the following:

[From:] Forged address
[Subject:] Microsoft Alert: Please Read!
[Body:]

New MyDoom Virus Variant Detected!

A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through
the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains
the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.


Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.


+++ c2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19



The German language e-mail contains minor variations on the following:

[From:] Forged address
[Subject:] Microsoft Alarm: Bitte Lesen
[Body:]

Neue Virus-Variante W32.Mydoom verbreitet sich schnell.

Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorganger verschickt sich der Wurm von infizierten Windows-
Rechnern per E-Mail an weitere Adressen.
Zudem installiert er auf infizierten Systemen einen gefahrlichen Trojaner!
Fuhrende Virenspezialisten melden bereis ein vermehrtes Aufkommen des
W32.Mydoom alias W32.Novarg.


Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schadling
zu schutzen!


+++ c2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943




Recommended Reactions

Users are advised to update their virus signature files and make sure they have the latest versions of F-Prot Antivirus installed on their computers.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.

Threat Detection

The latest versions of F-Prot Antivirus detect W32/Sober.D@mm using virus signature files dated 8 March 2003 or later.

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

1993-2013 © CYREN