The Sober family of worms first hit the Internet back in October of 2003, and it raged around the globe, wildly infecting computers throughout 2004 and into 2005. Now, two security companies in the last few days have spotted a new variant making the rounds.
Hon Lau, a senior security response engineer at Symantec, wrote in a blog on Monday that he began to see [email protected] being spammed out to users on Sunday. The e-mail, which comes in either German or English, holds the malicious code in an attachment and uses social engineering techniques to trick unsuspecting users into opening it.
The body of the message reads: "You notified us that you have forgotten your password. We have changed your password to a random sequence of letters and digits! For more detailed information, see the attached password file."
The attachment is often called: Passw_Data, PDatan, or Mail_Data. So far, they have all been zip files.
"The Sober gang has been messing around with malware for a couple of years, spreading their code far and wide," said Graham Cluley, a senior technology consultant with Sophos, in an interview. "Their malware downloads additional malicious code from the Web, designed to take over PCs, send spam, etc. The hackers behind Sober have been successful in spamming out their malicious code widely in the past."
Lau and Cluley both warn users not to open attachments from unknown senders and to keep their antivirus software updated.
"It has been a while since we last saw significant activity in this family of worms," wrote Lau. "The last named variant was back in 2005. Just like fashion, things often go out of style, only to make a comeback later. Could this be the come back of Sober?"