These emails suggest to recipients that their Internet use has been monitored by the FBI or CIA and that they have accessed illegal Web sites. The email directs users to open the ZIP attachment containing the executable, which once opened delivers the Sober virus payload. It then spreads by searching the infected computer for other email addresses to send copies of itself to, but ignoring any domains for certain security organizations, including MessageLabs.
The virus will send emails in German for domains ending .DE or .AT and a few others, with the remainder being sent in English. It seems that despite warnings, many recipients are still opening the emails allowing the virus to spread still further.
Also, since yesterday, MessageLabs has stopped three new variants of W32/Mytob, one of which was W32/Mytob.ED!ee4e, for which we have stopped over 10,000 copies.
MessageLabs stopped all copies destined for clients using the MessageLabs Anti-virus service.
From: email@example.com, firstname.lastname@example.org, email@example.com
we have logged your IP-address on more than 30 illegal Websites.
Please answer our questions!
The list of questions are attached.
++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505
++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time
Size: 54.2 KB (55,536 bytes )
MessageLabs detected this virus proactively, using its unique and patented Skeptic(tm) predictive heuristics technology.
MessageLabs is the world's leading provider of messaging security and management services with more than 12,000 clients and offices in eight countries. For more information, please visit www.messagelabs.com.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.