Multiple new Sober variants spy on passwords

Article

Multiple new Sober variants spy on passwords

Antivirus firms are tracking several new variants of the prolific Sober worm, warning that these versions drop malicious files onto the machines they infect. Like past variants, these use e-mail attachments to spread.

"We went from Sober-U to Sober-Z about four hours ago," Kaspersky Lab of Russia said on its

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.

    Cathleen A. Gagne, Senior Editorial Director

    By submitting your registration information to SearchEnterpriseDesktop.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseDesktop.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Web site Tuesday. "These Sobers are pretty much the same [as] before."

The worm drops a file oddly named "not-a-virus:PSWTool.Win32.PassView.162" into the system directory, Kaspersky said. "This tool is used to spy on passwords. Like previous variants, Sober-U uses an exclusive lock to make removal difficult."

Kaspersky said possible e-mail attachments may be under such names as: Exceltab-packed_List.exe, Liste.zip and Reg-List-Dat_Packer2.exe., reg_text.zip Word-Text.zip, Word-Text_packedList.exe and Word-Text_packedList.zip.

Cupertino, Calif.-based Symantec reported the appearance of Sober-S@mm, Sober-W@mm and Sober-T@mm, saying the variants use their own SMTP engine to spread. "It sends itself as an e-mail attachment to addresses gathered from the compromised computer," the firm added.

Finnish antivirus firm F-Secure Corp. said it has raised its alert status to level 2 because of the four Sober variants it has been monitoring. At last check, F-Secure reported Sober-X and Sober-Z as the latest variants.

According to F-Secure, Bavarian police warned it on Monday that a new Sober attack might be launched the following day. The prediction proved accurate, the firm said in its daily lab blog.

"The German police is basing the information on a year-long investigation into the Sober case (the author of the virus is German)," F-Secure said. "They also say they can not provide more details at this time."

This article originally appeared on SearchSecurity.com.