Sober at it again

It still amazes me that email worms continue to be such a prolific menace to mail systems worldwide. Their avenue of replication typically depends on user intervention. The receiver of the email opens the attachments which infects their system. That infected system then sends out copies of the worm to all of the recipients in his/her address book. The point is that the virus is not spread through some flaw in the operating system - it is people's curiosity and lack of caution that starts outbreaks.

The newest worm is designated as Sober.O by Symantec, Sober-N by Sophos, and Sober.P by Mcafee and F-Secure. Trend Micro has jumped ahead a few letters to name it WORM_SOBER.S.

ZDNet reports that this newest variant spread rapidly to consist of 77% of all viruses as detected by Sophos. The emails are generated either in English or in German. Sophos reports that some of the message bodies aim to entice World Cup fans.

F-Secure provides a good description of Sober. The email will use one of the subjects:

Re: Your Password
Re: Registration Confirmation
Re: Your email was blocked
Re: mailing error
FwD: Ihr Passwort
FwD: Ihre E-Mail wurde verweigert
FwD: Ich bin's, was zum lachen ;)
FwD: Glueckwunsch: Ihr WM Ticket
FwD: WM Ticket Verlosung
FwD: WM-Ticket-Auslosung

And the message body will contain:

Account and Password Information are attached!
Visit: http://www.[collected_url].com

This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached
Attachment-Scanner: Status OK,AntiVirus: No Virus found,Server-AntiVirus: No Virus (Clean)

[collected_url] will be replaced by a domain Sober has recorded. The attached file is a zip file containing a 52kb exe. Once run, a fake prompt will display "Error: CRC not complete". It then creates the following files: services.exe, csrss.exe, smss.exe, packed1.sbr, packed2.sbr, and packed3.sbr.