Beware of Sober variant, MMS worm

By Damian Clarkson, ITWeb junior journalist

Johannesburg, 08 Mar 2005

A new variant of the Sober Internet worm surfaced yesterday and is already widespread in parts of Europe.

Security vendors are keeping a close eye on the Sober.L worm, which most vendors are rating as a medium to high-risk virus, says Justin Stanford, CEO of anti-virus vendor NOD32 SA.

"We saw rapid moving activity on Sober.L reported in Italy and Spain yesterday. Although it is currently on the number 25 spot on virus-radar.com, it may reach the top 10 shortly if it continues at this pace. I expect it will be a medium-high level threat."

The Win32/Sober.L is an Internet worm that spreads via e-mail, and is about 44Kb in size, says Stanford. The e-mail message carrying the worm can either be English or German, with the language being chosen depending on the recipient`s address.

Once infected, it can be difficult to rid the machine of the virus, says Andrew Lee, CTO for NOD32 product creator Eset. "Unlike previous Sober variants, it locks itself in your computer`s memory and rewrites the registry key. Once it`s in memory, you can`t detect it. It hides itself very well and is extremely hard to clean."

The worm also terminates various security programs, such as HijackThis, MCAfee`s Stinger or Microsoft`s Malicious Software Removal Tool, adds Lee.

The MMS worm

Security vendors are also warning of a worm that spreads using multimedia messaging service (MMS) messages - cellular text messages that include image, audio or video files.

The worm was originally identified in January and poses little threat to users, but the CommWarrior.A worm is noteworthy in that it is the first virus to spread using MMS, says Symantec regional manager Patrick Evans.

"It replicates on Symbian Series 60 phones, and has been rated as a level one threat by Symantec Security Response. CommWarrior.A attempts to spread via MMS or Bluetooth."

The worm arrives with a variety of different subject lines, says Evans. "One example we have come across so far reads: 'Norton AntiVirus - released now for mobile, install it.`"

Stanford reiterates that it carries a low threat and is unlikely to cause any damage. "People who get infected can easily shut the virus down on the phone themselves. They also have to really try hard to get infected, because even when they receive the infected MMS, and open the attachment, a string of warnings will first appear before it will actually be executed."