DENVER May 4, 2005 MX Logic, Inc., a leading provider of innovative email defense solutions that ensure email protection and security for enterprises, service providers, government organizations, resellers and their customers, this morning reported that the W32/Sober.N mass-mailing worm (aka W32/Sober.P, W32/Sober.P@mm, W.32/Sober.O@mm, and W.32/Sober.S@mm) continued to propagate this morning, with 1 in 7 email messages that pass through the MX Logic Threat Center infected with the worm.
“Sober.N is definitely making its mark as the most prolific worm of 2005,” said Scott Chasin, CTO, MX Logic. “The propagation ebbs and flows, with spikes occurring primarily when European email users are online. For example, as email users in Europe came online today, the MX Logic Threat Center saw the number of infected messages double.”
MX Logic first detected the Sober.N worm the morning of Monday, May 2 and began blocking it immediately on behalf of its 4,100 customers worldwide. As of 9:00 a.m. MT Wednesday, May 4 the Sober.N worm accounted for 88 percent of all virus-infected messages through the MX Logic Threat Center and 14 percent of all email traffic that MX Logic filters.
Sober.N is a mass mailing worm spread through a .zip file attached to the email. Once the attachment is opened, the worm uses its own email engine to send itself to addresses harvested from the infected computer.
“Sober.N is yet another example of the increasingly sophisticated social engineering tactics that worm authors use to lure email users into spreading the worm,” Chasin said. “In this case, the authors not only leveraged both English and German language emails to spread, but it also capitalized on the current interest in Europe in 2006 World Cup Soccer tickets.”
As with other recent variants of the Sober worm, Sober.N uses a number of different subject lines, message bodies and attachments, sent in both English and German. If Sober.N determines it is being sent to an email address with a domain generally reserved for a German language country (e.g., .de, .ch, .at, .li) then the worm sends messages in German. The German language email messages indicate that the recipient has won tickets to the 2006 World Cup, thereby enticing the recipient to open the attachment. The English language messages, however, carry more mundane subject lines including “Mailing Error,” “Registration Confirmation,” “Your email was blocked,” and “Your Password.”
The worms’ appearance coincided with the beginning of the second sales phase of 2006 World Cup soccer tickets. However, unlike the phony emails sent out by Sober.N, official ticket confirmations sent out by the Federation Internationale de Football Association (FIFA) World Cup Organizing Committee do not contain an attachment.
MX Logic encourages email users to:
Routinely update their anti-virus engines Never open a suspicious email, even if it appears to be from a known sender If you are fooled into opening a suspicious email, never open the email attachment