False FBI accusation carries Sober worm

Many of the readers of this column are network or security administrators who have users they care about. Here’s a note about a rapidly growing worm infestation about which you should warn your users.

The FBI issued an alert Nov. 22 warning that criminals are circulating a false accusation addressed to “Dear Sir/Madam” claiming that the recipient has visited “more than 30 illegal Websites.” The e-mail message demands that the recipient fill out a questionnaire that is attached; it is infected with the W32/Sober.AG worm (see for example the Nov. 23 alert from F-Secure).

F-Secure reports that the new outbreak is the worst e-mail worm attack they have seen in 2005:

“Several millions of infected e-mails have been seen by internet operators over the last hours. One of the reasons why this e-mail worm seems to be so successful in spreading is that some of the messages it sends are fake warnings from FBI, CIA or from the German Bundeskriminalamt (BKA).”

Apparently the 25 (and counting) variants of these Sober worms have been created by some warped personality in Germany; F-Secure states that “all Sober variants send German messages to German email addresses and English messages to other addresses.”

The Trend Micro alert points out that in addition to the fake FBI warning, other e-mail messages carrying the worm have subjects referring to registration confirmation, passwords, mail delivery failure, new e-mail addresses and “Paris Hilton & Nicole Richie” video clips. The attachments are all real ZIP files containing an installer program. Opening the ZIP files flashes a fake message claiming that the ZIP file is damaged but actually creates a folder called “WinSecurity” in the current Windows folder and places a number of files into that folder. It also puts files into the Windows system folder. The worm adds keys to the registry to auto-load on system start-up. It collects e-mail messages from a wide range of source files and uses its own SMTP mail process to send out its junk. As a final pernicious attack, the worm terminates the Microsoft Windows Malicious Software Removal Tool process.

Although all the anti-virus companies are fighting this worm, it is still worth reminding users not to open e-mail attachments that they are not expecting. As for the “FBI” message, ask users what kind of police force is likely to send mass mailings to “sir/madam” when investigating crimes.

Don’t let the malware authors worm their way into your users’ confidence.