Sober worm goose-steps onto world's PCs

By on

A new variant of the Sober worm is turning computers into spam relays for Nazi propaganda.

Computers infected with the Sober.p worm started downloading the Sober.q worm, last Saturday night, which has turned them into mass mailers of extreme right-wing propaganda. The machines were originally infected with the worm when users were duped into thinking they had won tickets for the 2006 football World Cup, being held in Germany earlier this month.

The latest variant does spread itself via the normal means of email but sets itself up as a spam relay sending vile racist messages in German to various Germanic domians. Outside of these, it posts messages in English.

Spam sent by the Trojan from infected PCs uses various subject lines including: 'Dresden Bombing Is To Be Regretted Enormously', 'Armenian Genocide Plagues Ankara 90 Years On', 'Dresden 1945' and 'Turkish Tabloid Enrages Germany with Nazi Comparisons'. Some of the spam is also demanding that the allied forces in the Second World War are tried for war crimes.

It also drops a file onto infected PCs that includes links to news stories about previous versions of the Sober worm and the text: 'Ich bin immer noch kein Spammer! Aber sollte vielleicht einer werden :)', which translates to 'I'm not a spammer, but perhaps I should become one :)'.

The worm has echoed previous variants with its methods, according to an antivirus expert.

"Sober.p stopped mailing itself and went into "update mode". The worm was designed to check certain servers for executables and Sober.q was on one of these servers," said David Emm, senior technology consultant at Kaspersky Labs. "So Sober.p acted as a downloader for Sober.q Something similar happened before, with Sober.g and Sober.h."

It also appears that the author is trying to make a name for themselves.

"By including links to news stories about previous variants of the Sober worms, it seems that the author is looking for notoriety," said Graham Cluley, senior technology consultant at antivirus company Sophos. "But it's unlikely that the thousands deluged with this spam will take kindly to his tactics."

www.sophos.com
www.kaspersky.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?