New Sober variant tricks users in German

A new Sober mass mailer worm is slithering its way around the Net and tricking users into opening attachments with clever messages in both English and German, antivirus companies warned Tuesday.

W32.Sober.N@mm sends e-mail messages with the subject headers “I’ve_got your EMail on my_account!” and “FwD: Ich bin’s nochmal” and carries attachments with names like your_text.zip, according to Helsinki security firm F-Secure. When opened, the attachment scans files on the infected computer to harvest e-mail addresses that enable the worm to spread.

Symantec also released an advisory on the Sober variant, rating its damage as “medium.”

The worm was first reported at 2 a.m. CET, and has been spreading in Europe, particularly in German speaking countries, according to Mikko Hyppönen, director of antivirus research at F-Secure.

The body text for the English version begins “Hello, First, Very Sorry for my bad English. Someone is sending your private e-mails on my address.” It then tells the recipient that 10 of their personal e-mails are attached in a zip file.

The message represents a clever bit of social engineering because it appears plausible, and in the case of the German versions, is in a local language, Hyppönen said. Most users are accustomed to receiving spam and viruses in English, he added.

The motive behind creating the worm is still unclear and F-Secure does not know the identity of the author, Hyppönen said.

It is difficult to tell how rapidly the worm is spreading because the author used computers infected with a previous version of Sober to launch the new variant and “get a head start,” Hyppönen said.

The researcher believes that the author is based in Europe because Sober variants are always released very early in the morning European time, giving them a chance to spread before the antivirus companies start their day.

F-Secure and Symantec both advised Internet users to update their antivirus software to guard against the new worm.