Computer Worm Poses as E-Mail From FBI, CIA

It's being called the worst computer worm of the year -- a fast-spreading Internet threat that looks like an official e-mail from the CIA or FBI but can leave your computer wide open to intruders.

The bogus e-mail claims the government has discovered you visiting "illegal" Web sites and asks you to open an attachment to answer some official questions. If you do, your computer gets infected with malware that can disable security and firewall programs and blast out similar e-mails to contacts in your address book. It can also keep you from getting to computer security Web sites that might help fix the problem, and it may open your Windows computer to intruders who can steal your personal data.

The worm -- named "Sober X" -- has spread so far so fast that the CIA and the FBI put prominent warnings on their Web sites making clear that they did not send out the e-mail and urging people to not open the attachment.

Across the Atlantic Ocean, Austria's equivalent to the FBI is investigating a flurry of similar bogus e-mails sent in its name to people in Austria, Germany and Switzerland, the Associated Press reported.

"This particular virus is a mass-mailer worm and is the largest one we have seen this year," said Alfred A. Huger, senior director of engineering at Symantec Corp., which sells Norton AntiVirus software. "It's as bad as it gets. With this particular type of virus on your system, there is a high probability that your personal information will be stolen."

Craig Schmugar, a virus-research manager at McAfee Inc.'s Avert Labs, said his company, which also makes anti-virus software, had logged more than 73,000 consumer computers reporting detection since the worm was discovered Monday.

British e-mail security company MessageLabs Ltd. said it has intercepted more than 2.7 million copies of Sober and its variants, noting that "the size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months."

Still, the Sober worm was listed as only a "medium-risk" worm by security companies, which noted that it was not as widespread as others in recent years, notably MyDoom, which hit computer systems early last year.

Sober is known to affect only those computers running the Windows operating system. It appears that Apple and Linux computer users were not affected.

The e-mail informs the recipient that the user's "IP-address" has accessed more than 30 illegal Web sites and that the attachment contains a list of questions that need to be answered. The e-mail also includes an authentic phone number for the FBI or CIA.

And that has kept government switchboard operators busy.

FBI operators have been routing calls and complaints to its Internet Crime Complaint Center in West Virginia, which received more than 4,000 complaints about the worm on Monday. The ICC typically receives 18,000 complaints each month, said FBI spokeswoman Cathy Milhoan.

The FBI is investigating the source of the attack, which closely resembles an e-mail worm that surfaced in February, Milhoan said, though she declined to comment on the progress of that investigation.

Source: washingtonpost.com

[dmscs]

It's more an anoying thing really!


Sober.AH Worm Aliases: W32.Sober.X@mm, Email-Worm.Win32.Sober.y, W32/Sober-Z, W32/Sober.AG.worm, Email-Worm.Win32.Sober.Y

Technical Name W32/Sober.AH.worm

It ends several processes belonging to some security tools, among others and displays a fake error when it is run. It spreads via email in a message written in English or German.

Sober.AH is a worm that ends several processes belonging to some security tools, among others.

Sober.AH spreads via email, in a message written in English or German that contains an attached file with ZIP format.

The email message will be written in German only if the mail domain extension is one of the following: de (Germany), ch (Switzerland), at (Austria) or li (Liechtenstein).

Removal

# Delete the entries that Sober.AH has created in the Windows Registry:

HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Run
_Windows = %windir% WinSecurity services.exe

HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Run
[blank space]Windows = %windir% WinSecurity services.exe
where %windir% is the Windows directory.

# Restart the computer and get on with your life

For me is not a problem, I know to take care and to clean my system. The problem is with the beginners. A beginner as a first thing you know what do? PANIC
As a second thing start to made a lots of calls to friends, etc.

Ovi