Version: 2008
  • On TechRepublic: Windows 7: Slower to boot than Vista?

March 8, 2004 7:29 AM PST

Worm disguises self as Microsoft patch

By Munir Kotadia
Staff Writer, CNET News

  • 1 comment
Related Stories

Worms nibble away at ISP profits

 March 3, 2004

Variant of NetSky virus takes flight

 March 1, 2004

Latest MyDoom picking up pace

 February 25, 2004

RIAA to face MyDoom's music?

 February 20, 2004

MyDoom virus spells double trouble

 February 3, 2004

Xombe Trojan poses as Microsoft warning

 January 12, 2004
The latest variant of the mass-mailing Sober worm masquerades as an official Microsoft patch for the MyDoom worm.

Sober.D, discovered on Monday, is technically similar to its previous incarnation as Sober.C, where it used its own SMTP engine to send copies of itself to e-mail addresses found on infected systems. But the latest version displays fake Microsoft warnings and error messages.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.
"It arrives in an e-mail that pretends to be a patch to protect against a version of MyDoom," said Graham Cluley, a senior technology consultant at antivirus company Sophos. "The e-mail appears to be a Microsoft patch, so people will of course double-click on that attachment."

According to Finnish antivirus company F-Secure, Sober.D spreads either as an executable attachment or inside a password-protected Zip archive attached to an e-mail. Once a person clicks on the file, the worm scans the PC to see if it has already been infected.

If the system is clean, a small box appears with the message: "This patch has been successfully installed." If the system is already infected with Sober.D, the message says: "This patch does not need to be installed on this system."

Sober.D also changes its language depending on where it is being sent. If the recipient's e-mail address has a "de," "ch," "at," "li," "nl" or "be" extension, the text will be in German and the subject will read: "Microsoft Alarm: Bitte Lesen." Otherwise the subject line is in English and reads: "Microsoft Alert: Please Read!" Previous versions of Sober have also been bilingual, Cluley said.

This is not the first time that a worm has disguised itself as a Microsoft update. In January, the Xombe, or Trojan.Xombe, worm posed as a critical patch for Windows XP. This was believed to be a copycat of 2003's most successful worm, Swen, which is thought to be the first known worm to masquerade as a security warning from Microsoft.

Microsoft has always maintained that it does not e-mail patches to people, so they should ignore any such messages.

Munir Kotadia of ZDNet UK reported from London.

Add a Comment (Log in or register)
Be careful
by buddyro2975 March 8, 2004 9:00 AM PST
be careful reading your emails people!
Reply to this comment
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (1.61%) 0.46 28.98
Dow Jones Industrials (1.93%) 193.77 10,217.19
S&P 500 (2.03%) 21.66 1,090.96
NASDAQ (1.80%) 38.05 2,150.49
CNET TECH (1.88%) 28.95 1,567.35
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET