View Full Version : Bilingual Worm Burrows Through Microsoft Systems


Andrew
10-30-03, 08:14 PM
Masquerading as a fix for a fictitious new worm, malware known as Sober-A has gained traction since Monday and continues to infect Microsoft Windows systems. Diligent enterprises, however, should be minimally affected if their AV software is up-to-date and they filter .exe attachments.

The infected e-mail arrives in both English and German with an assortment of subject lines, such as "A worm is on your computer!", and an attached file labeled "removal-tool.exe", which are designed to scare recipients into opening the attachment. When executed, the worm searches the infected system for e-mail addresses to mail itself to other potential victims. It also propagates with its own SMTP engine.

According to researchers at AV vendor Sophos, Sober-A inserts the file Macromed\Help\Media.dll in the Windows\system directory. This file contains e-mail addresses harvested from infected systems.

The worm also replicates to the Windows system folder with one of the following names: similare.exe, systemchk.exe or systemini.exe. It alters the registry so that the worm launches when the user logs on to their computer.

Sober-A is not the first bilingual worm. Earlier this year, Fizzer arrived with e-mails written in English, Dutch and German.

Security experts also advise that virus alerts rarely, if ever, contain e-mail attachments. http://www.sophos.com/virusinfo/analyses/w32sobera.html