Browse archive

Latest news

CISOs need to engage with the board

Wi-Fi client security weaknesses still prevalent

Find TrueCrypt and BitLocker encrypted containers and images

Sourcefire goes beyond the sandbox

The CSO perspective on healthcare security and compliance

Jailed hacker designs device to thwart ATM card skimming

U.S. Congress has questions about Google Glass and privacy

Cyber espionage campaign uses professionally-made malware

Form-grabbing rootkit sold on underground forums

Large cyber espionage emanating from India

Over 45% of IT pros snitch on their colleagues

Thoughts on the need for anonymity

IT security jobs: What's in demand and how to meet it

Hacking charge stations for electric cars

MessageLabs Stops Over 2.7 million Copies of New Sober Virus That Spoofs FBI and CIA

Posted on 23 November 2005.

November 22, 2005 - New York 17:00 GMT/ 12:00 ET - MessageLabs, the leading provider of managed email security services to businesses worldwide, has intercepted over 2.7-million copies of a new Sober virus, many of which are being spoofed to appear as though they are sent from the FBI or the CIA. The first copy was stopped at 19:00 GMT on 21st November. The size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months.

These emails suggest to recipients that their Internet use has been monitored by the FBI or CIA and that they have accessed illegal Web sites. The email directs users to open the ZIP attachment containing the executable, which once opened delivers the Sober virus payload. It then spreads by searching the infected computer for other email addresses to send copies of itself to, but ignoring any domains for certain security organizations, including MessageLabs.

The virus will send emails in German for domains ending .DE or .AT and a few others, with the remainder being sent in English. It seems that despite warnings, many recipients are still opening the emails allowing the virus to spread still further.

Also, since yesterday, MessageLabs has stopped three new variants of W32/Mytob, one of which was W32/Mytob.ED!ee4e, for which we have stopped over 10,000 copies.

MessageLabs stopped all copies destined for clients using the MessageLabs Anti-virus service.

Email Characteristics

From: mail@fbi.gov, post@fib.gov, admin@fbi.gov

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505

++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

Attachment:
question_list.zip
list.zip

Size: 54.2 KB (55,536 bytes )

Detection
MessageLabs detected this virus proactively, using its unique and patented Skeptic(tm) predictive heuristics technology.

About MessageLabs
MessageLabs is the world's leading provider of messaging security and management services with more than 12,000 clients and offices in eight countries. For more information, please visit www.messagelabs.com.