Article

Multiple new Sober variants spy on passwords

Bill Brenner

Antivirus firms are tracking several new variants of the prolific Sober worm, warning that these versions drop malicious files onto the machines they infect. Like past variants, these use e-mail attachments to spread.

"We went from Sober-U to Sober-Z about four hours ago," Kaspersky Lab of Russia said on its Web site Tuesday. "These Sobers are pretty much the same [as] before."

The worm drops a file oddly named "not-a-virus:PSWTool.Win32.PassView.162" into the system directory, Kaspersky said. "This tool is used to spy on passwords. Like previous variants, Sober-U uses an exclusive lock to make removal difficult."

Kaspersky said possible e-mail attachments may be under such names as: Exceltab-packed_List.exe, Liste.zip and Reg-List-Dat_Packer2.exe., reg_text.zip Word-Text.zip, Word-Text_packedList.exe and Word-Text_packedList.zip.

Cupertino, Calif.-based Symantec reported the appearance of Sober-S@mm, Sober-W@mm and Sober-T@mm, saying the variants use their own SMTP engine to spread. "It sends itself as an e-mail attachment to addresses gathered from the compromised computer," the firm added.

Finnish antivirus firm F-Secure Corp. said it has raised its alert status to level 2 because of the four Sober variants it has been monitoring. At last check, F-Secure reported Sober-X and Sober-Z as the latest variants.

According to F-Secure, Bavarian police warned it on Monday that a new Sober attack might be launched the following day. The prediction proved accurate, the firm said in its daily lab blog.

"The German police is basing the information on a year-long investigation into the Sober case (the author of the virus is German)," F-Secure said. "They also say they can not provide more details at this time."

This article originally appeared on SearchSecurity.com.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: