Virus overview:
WORM_SOBER.AG spammed e-mails are written in both German and English languages. It checks the users system for the version of the Microsoft OS that's running ... if it detects GMX as the domain, it installs one of the German versions; otherwise, it installs one of the English versions.
The worm propagates via email messages that are spammed to recipients. However, once a system is infected, it spreads by itself. The worm has no automated capabilities and must therefore be inadvertently executed by the user to install. To entice the user to do this, the author utilizes classic social engineering techniques, such as promising pictures of celebrities, or alerting the user to illicit behavior.
At least two of the English versions of WORM_SOBER.AG spoof the Federal Bureau of Investigation (FBI) or Central Intelligence Agency (CIA), alerting the user that the agency has found evidence of the user visiting "more than 30 illegal Websites", and asks them to complete the attached "questionnaire". Launching the attachment activates the Worm. Similarly, one of the German versions spoofs Bundeskriminalamt, and threatens legal action against the users' illicit downloads of films, software, and MP3s. The email promises more details of the case in the attached file.
Another version promises a free download of "video clips, pictures and more" of Paris Hilton and Nicole Richie, stars of "The Simple Life" reality television series in the U.S. Attachments are disguised as zipped files.
WORM_SOBER.AG can download and run executable files from certain Web sites that it points to. However, this worm does not seem to have any backdoor capabilities.
As of November 21, 2005 at 2:20 pm (PST, GMT -8:00), TrendLabs has declared a MEDIUM risk alert in order to control the spread of WORM_SOBER.AG.
