How To Stop The Sober Worm

The worm that hit this week is the 18th version of one that first surfaced two years ago. Businesses can prevent it from damaging their networks and computer systems by taking a few simple steps.

Martin Garvey, Contributor

May 5, 2005

3 Min Read

Whoever wrote the Sober.P worm is persistent. The worm, which raced around the Internet this week, is the 18th version of a worm that first made it appearance two years ago. This one first surfaced in Western Europe on Monday and began to infect computers, but it fizzled out when it crossed the ocean and hit the United States. Today, security analysts and vendors are helping companies to clean up the mess Sober.P left behind and are reminding businesses how to prevent such worms from causing damage.

This version of Sober offered of tickets for next year's World Cup soccer championship, taking place in Germany, in an effort to get users to click on an attachment to unleash the worm, which then looked for E-mail addresses so it could send itself to other computers, according to McAfee Security. The worm doesn't delete information or damage computers. It mainly affects the bottom line because it consumes network bandwidth and requires time and effort to remove it from computers.

While the creators of Sober.P may be persistent, they aren't very creative, according to security experts. The main change from one version to the next has been the use of different file names for the attachment and different body text in the E-mail, according to Lysa Myers, virus research engineer at the antivirus and vulnerability emergency response team at McAfee. "This is pretty well par for the course for what changes we see between one variant in a family and the next," she says. "Changing text is much simpler than changing functionality."

Alfred Huger, senior director of engineering at Symantec Security Response, says it doesn't take a lot of work to counter a threat like Sober.P. "We see a long line of repeats like this, and Sober.P didn't even carry out its payload while it attached and spread," he says. Changing the E-mail subject line is the most common way virus and worm creators roll out new versions of their malware, he says.

It is fairly easy to prevent worms such as Sober.P from invading a company's network or computer systems, experts say. The first step is to try and convince users not to open attachments contained in E-mails from unknown senders. But despite years of such warnings, it's clear that many users have paid no heed.

But security managers can take steps to reduce the chances that users will have the opportunity to open and unleash such worms, says Peter Lindstrom, founder at analyst firm Spire Security. The first step is to scan all E-mail messages at the server or network gateway in an effort to spot worms and viruses. And businesses must make sure that their scanners use up-to-date filters and code to spot new threats. Security managers also must constantly review security-event logs to make sure that security updates and other fixes have been properly distributed and installed.

It's also important to communicate with users, to make sure they know of new and potentially dangerous threats, he says. And, if all else fails and a worm or virus does make it onto the network, have antivirus and other security software installed on each desktop computer to limit the damage.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights