Sober.D, discovered on Monday, is technically similar to its previous incarnation as Sober.C, where it used its own SMTP engine to send copies of itself to e-mail addresses found on infected systems. But the latest version displays fake Microsoft warnings and error messages.
 | ||||
| | | ||
| Get Up to Speed on... Enterprise security  Get the latest headlines and company-specific news in our expanded GUTS section. | | ||
| ||||
| ||||
According to Finnish antivirus company F-Secure, Sober.D spreads either as an executable attachment or inside a password-protected Zip archive attached to an e-mail. Once a person clicks on the file, the worm scans the PC to see if it has already been infected.
If the system is clean, a small box appears with the message: "This patch has been successfully installed." If the system is already infected with Sober.D, the message says: "This patch does not need to be installed on this system."
Sober.D also changes its language depending on where it is being sent. If the recipient's e-mail address has a "de," "ch," "at," "li," "nl" or "be" extension, the text will be in German and the subject will read: "Microsoft Alarm: Bitte Lesen." Otherwise the subject line is in English and reads: "Microsoft Alert: Please Read!" Previous versions of Sober have also been bilingual, Cluley said.
This is not the first time that a worm has disguised itself as a Microsoft update. In January, the Xombe, or Trojan.Xombe, worm posed as a critical patch for Windows XP. This was believed to be a copycat of 2003's most successful worm, Swen, which is thought to be the first known worm to masquerade as a security warning from Microsoft.
Microsoft has always maintained that it does not e-mail patches to people, so they should ignore any such messages.
Munir Kotadia of ZDNet UK reported from London.