Skip navigation
Skip navigation
You are using an outdated browser. Please upgrade your browser.

Grant Butler Coomber

MEDIA ADVISORY – MEDIUM RISK ALERT ISSUED FOR “WORM_ SOBER.S”

Worm Variant Gets Football Fans to Download Latest Worm by Posing as Fake offer for Free Tickets to FIFA World Cup 2006

May 02, 2005 – Trend Micro issued a “medium risk” alert to raise awareness of a new variant of the “Sober” worm that mass mails itself through SMTP email, and is socially engineered to trick users into opening the file attachment containing the worm program. One of the tricks is pretending to be an offer for free tickets to the World Cup 2006 games in Germany, from the Federation Internationale de Football Association (FIFA). WORM_SOBER.S has been sighted in Germany and the U.S., in German and English languages.

Similar to previous variants, WORM_SOBER.S spreads by mass-mailing itself through its own SMTP engine, gathering new recipients from each victim computer, yet avoids sending to certain domains, particularly to companies involved in the antivirus and security industry.

WORM_SOBER.S arrives under a variety of subject headers, message bodies, and attachments. The “from” address may appear as
• Admin
• Hostmaster
• Info
• Webmaster

And include attachments named
• PassWort-Info.zip
• account_info-text.zip
• autoemail-text.zip

One such variation appears to be an official communication from the FIFA organization, stating “Congratulations, you have won free tickets,” and arrives with the attachment “Fifa_Info-Text.zip.” The recipient would believe they had won highly coveted tickets to the annual football event, to be held in Germany in 2006. Instead, once the user opens the attachment, an error message appears, and the worm is launched.

“This is a prime example of social engineering – these games are very popular worldwide and even users who are savvy enough to suspect this email is a fake, may take a risk and click on the attachment anyways in hopes of getting free tickets,” commented Jamz Yaneza, senior virus researcher at TrendLabs. “It can be a bad gamble to take.”
Once it has infected a system, WORM_SOBER.S drops several files on the infected system and modifies Windows registries to execute again at each system startup.
WORM_SOBER.S arrives in a file about 53 KB in size, and can be in UPX format. It can affect Windows 98, ME, NT, 2000 and XP platforms.
Trend Micro customers are protected through the latest pattern file, number 2.611.00 or higher. Customers of Outbreak Prevention Services should download OPP 171 (or later) to help protect against spread of this threat. For customers of Damage Cleanup Services, Damage Cleanup template # 588 should be downloaded to help with automated restoration of affected systems. Network VirusWall users can use prevention pattern file 10222.
Other users should use Trend Micro’s free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/
For more information on WORM_SOBER.S, please visit http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VN...
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro.com.

# # #
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.



For more information please contact:
Sophie Heximer
sophieh@gbc.co.uk
020 8322 1922

This press release was distributed by ResponseSource Press Release Wire on behalf of Onechocolate Communications in the following categories: Men's Interest, Sport, Consumer Technology, Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.