News Stay informed about the latest enterprise technology news and product updates.

Multiple new Sober variants spy on passwords

AV firms say the latest Sober worms drop malicious files onto the computers to fetch access codes.

Antivirus firms are tracking several new variants of the prolific Sober worm, warning that these versions drop malicious files onto the machines they infect. Like past variants, these use e-mail attachments to spread.

"We went from Sober-U to Sober-Z about four hours ago," Kaspersky Lab of Russia said on its Web site Tuesday. "These Sobers are pretty much the same [as] before."

The worm drops a file oddly named "not-a-virus:PSWTool.Win32.PassView.162" into the system directory, Kaspersky said. "This tool is used to spy on passwords. Like previous variants, Sober-U uses an exclusive lock to make removal difficult."

Kaspersky said possible e-mail attachments may be under such names as: Exceltab-packed_List.exe, and Reg-List-Dat_Packer2.exe.,, Word-Text_packedList.exe and

Cupertino, Calif.-based Symantec reported the appearance of Sober-S@mm, Sober-W@mm and Sober-T@mm, saying the variants use their own SMTP engine to spread. "It sends itself as an e-mail attachment to addresses gathered from the compromised computer," the firm added.

Finnish antivirus firm F-Secure Corp. said it has raised its alert status to level 2 because of the four Sober variants it has been monitoring. At last check, F-Secure reported Sober-X and Sober-Z as the latest variants.

According to F-Secure, Bavarian police warned it on Monday that a new Sober attack might be launched the following day. The prediction proved accurate, the firm said in its daily lab blog.

"The German police is basing the information on a year-long investigation into the Sober case (the author of the virus is German)," F-Secure said. "They also say they can not provide more details at this time."

This article originally appeared on

Dig Deeper on Enterprise desktop management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.