Source: eWeekA new variant of the Sober mass-mailing worm is being blamed for the deluge of German spam messages flooding inboxes this weekend, anti-virus experts warned on Sunday.
The spam barrage arrives with politically themed messages in German and contains only links to news articles on German Web sites. Finnish anti-virus vendor F-Secure Corp. said the spam run is being powered by Sober.Q, the latest mutant of a worm that was first spotted in October 2003.
The latest spam barrage comes just two weeks after Sober.P launched a massive attack by promising tickets to next year's World Cup soccer tournament in Germany. In that attack, the worm spread quickly by harvesting e-mail addresses from infected systems.
This weekend's spam run does not include executable attachments and resembles the methods used in June 2004 by Sober.H, an earlier variant.
One of the reasons this worm is still spreading is due to the fact that it can hide from virus scanners!
The ability to cloak itself means that antivirus programs must have the means to detect Sober running in memory, then kill those processes. But some of these applications either lack a memory scanner or have a scanner with limited functionality.
One of the reasons why the Sober.p worm continues to spread is because of the way it hides from some anti-virus scanners, a Russian security firm said Wednesday. Sober.p--also called Sober.s, Sober.o, and Sober.v by various anti-virus companies--includes a mechanism that prevents other programs from accessing its files, said Moscow-based Kaspersky Labs. That presents problems for some anti-virus software.
Nasty little guy
Online Virus Scans
http://housecall.trendmicro.com/hou.../start_corp.asp
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
https://testzone.secunia.com/online_antivirus/
http://www.bitdefender.com/scan/licence.php
http://vil.nai.com/vil/stinger/
