Sober worm set to launch another attack

04.01.2006
Security managers who already have their hands full this week dealing with the Windows WMF vulnerability could have another headache to contend with later this week when the latest version of the Sober worm is programmed to launch an attack.

Systems already infected by the last version of the worm may download and run malicious files from certain Web domains starting at midnight tomorrow night.

'Beginning approximately every two weeks thereafter, the worm is set to begin downloading and running malicious files from additional sites on the same Web domains,' a Microsoft advisory released Tuesday said.

The Sober worm and its variants -- believed to have been initially authored by German hackers -- are now among the most prolific pieces of malware to date and are believed to be responsible for infecting tens of millions of computers worldwide. The worm does not target any specific vulnerability. Rather it requires users to open a malicious file attachment in e-mails or to click on links that contain malicious attachments.

The last version of the worm appeared on Nov. 22, 2005, the inauguration day for Germany's first female chancellor. The latest Jan 5. trigger coincides with the 80th anniversary of the launch of the Nazi party and also coincides with a major German political convention on Friday.

It's not clear yet what damage the latest version could do, said Todd Brennan, chief technology officer at Bit9 Inc., a Cambridge, Mass.-based vendor of endpoint security products. Because the worm and its variants have been around for a while, many systems are likely to have been patched or otherwise protected against the threat, he said.