Score one for viruses

[Morgeruat]

http://www.securityfocus.com/news/11365


Sober virus scares up child-porn confession
Robert Lemos, SecurityFocus 2005-12-20

A 20-year-old German man turned himself and his child-porn collection into authorities after believing a message propagated by the recent Sober virus that law enforcement officers were investigating his activities, Germany's Federal Criminal Investigation Office said on Monday.


“ I'm glad the guy was stupid enough to get caught. If you have to write viruses, something like the type of message is not bad. ”

Mikko Hyppönen, chief research officer, F-Secure

The Sober.X, also known as Sober.Y, virus attempts to fool computer users into running the malicious program by attaching itself to an e-mail that seems to come from the FBI or its German counterpart, known as the Federal Criminal Investigation Office or Bundeskriminalamt (BKA). The message implies that the law enforcement agency is investigating the recipient and asks the user to open up an attachment and answer questions.

In reality, the attachment is the Sober virus, which quickly takes control of the victim's PC to send more copies of itself, said Mikko Hyppönen, chief research officer for antivirus firm F-Secure.

"I'm glad the guy was stupid enough to get caught," Hyppönen said. "If you have to write viruses, something like the type of message is not bad."

While a prior version of the Sober virus had a similar message, this is likely the first time that a message intended to convince the recipient to run the virus scared a wrongdoer enough to turn themselves in. The Sober virus has made headlines because its creator has used the program to spread right-wing German propaganda and messages of hate. The latest variant is expected to download a payload on January 5, the anniversary of the founding of the Nazi party, according to antivirus firms.

While consumers have gotten better about distrusting the e-mail messages produced by such viruses, the number of PCs that are currently infected and compromised by the control software, known as bot software, installed by such viruses is in the millions, according to recent investigations.

The Sober virus does not install sophisticated bot software, but does compromise a PC so that it will spread future versions of the virus, F-Secure's Hyppönen said.

"Every new version of Sober infects every single computer already infected by Sober. So the bigger a Sober infection gets, the bigger the next launch of the next Sober is," he said.

The English version of the latest variant of the Sober virus has a common collection of possible messages, including notes from administrators and e-mail bounce notifications. In addition, there is a message that appears to come from the FBI or the CIA.

The English version of the message states:

we have logged your IP-address on more than 30 illegal Websites. Important: Please answer our questions! The list of questions are attached.

The Paderborn, Germany resident read the bulk e-mailed message sent by the latest Sober virus, panicked and contacted the police to admit he possessed child pornography, the BKA said in a statement. A search of the suspect's hard drive allegedly turned up pornographic images of minors--pictures that the suspect also sent out through e-mail, the BKA stated.

The FBI did not immediately know if any similar cases had occurred in the United States.

[Sir Degrader]

Wasn't this posted a day or two ago in the GE forum?

[Luvian]

Yeah, for a week I received maybe 5 variant a day of that virus. It was funny the first day, but it got old fast...

[Sir Degrader]

Especially since we're in Canada. I don't think I've gotten it, but if I did, I'd probably reply ( a big no no, but meh), with something to the effect "come and get me, you yank bastards!"

[Morgeruat]

Quote:

Originally posted by Sir Degrader: Wasn't this posted a day or two ago in the GE forum?

mebbe but since I hardly ever go there, let alone post there if it was I didn't see it.

[krunchyfrogg]

I hope this virus, if used by the athorities only, never gets blocked by any spyware programs.

[Luvian]

Quote:

Originally posted by krunchyfrogg: I hope this virus, if used by the athorities only, never gets blocked by any spyware programs.

This virus is not used by any authorities, it just claim it is from the FBI so that you open up the file and get infected.

[Sir Degrader]

Oh yes, because the FBI sends me SO many .txt file attachments... LOL.

[Luvian]

Quote:

Originally posted by Sir Degrader: Oh yes, because the FBI sends me SO many .txt file attachments... LOL.

It wasn't txt. I just checked and it's list.zm9

[ 12-21-2005, 07:03 PM: Message edited by: Luvian ]

[shamrock_uk]

Nah, it'll be .bat, .pif or .exe normally.

.zm9 is what Zone Alarm's mail checker leaves the attachment as.