FBI: We're Not Infecting You

A new version of the Sober worm is believed to be behind e-mails that supposedly come from G-man servers.

By Jim Wagner | Posted Feb 23, 2005
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

The FBI issued a statement saying it is not behind a worm-infected e-mail that's finding its way into inboxes, the agency said Tuesday.

Paul Bresson, an FBI spokesman, said the agency first heard of the e-mails purportedly coming from its servers over the weekend and is looking for the worm's author.

"We are aggressively looking into it [and] we have a cyber squad that's devoted to this investigation," he said. "Sometimes these kinds of cases take some time and sometimes they don't require as much, but we'll have to see."

The culprit, according to e-mail security sites Symantec and F-Secure, could be a new strain of the Sober.K worm, which spoofs (define) the domain addresses of a number of e-mail servers.

The e-mails bear the subject line "You visit illegal websites," stating in the body of the message that the user's IP address has been found on more than 40 illegal Web sites and to contact M. John Stellford of the FBI.

Written in Visual Basic, the 58KB-sized worm creates new registry entries and data files to store the user's e-mail addresses and a copy of the worm. It then checks for a network connection and sends an e-mail to the harvested addresses, along with a copy of the worm, using its own SMTP (define) engine.

Besides messages that supposedly originate from the FBI, the worm creates messages in German and English and includes claims to having Paris Hilton videos; a warning by Microsoft of a new variant of the Sober virus; an e-mail delivery-failure notice; and a statement stating the user has made a payment and to click on the attachment for more information.

Besides a number of @fbi.gov e-mail aliases, the worm forges e-mail headers from security@microsoft.com and hostmaster, webmaster and postmaster.

According to security experts, the worm is limited to the Windows platform and installs itself after a user clicks on the attachment.

Symantec first discovered the Sober.K worm Sunday and F-Secure stated the worm was seeded in e-mails on Monday, according to advisories published by the two organizations.

Symantec's advisory includes removal instructions for users with infected systems who are using their antivirus programs.

"Opening e-mail attachments from an unknown sender is a risky and dangerous endeavor; as such attachments frequently contain viruses that can infect the recipient's computer," the FBI statement reads. "The FBI strongly encourages computer users not to open such attachments."

FBI officials in their statement said the agency does not engage in the practice of sending unsolicited e-mails and users should take precautions when reading their e-mail.

The FBI is encouraging users to report any e-mails such as the one described to the Internet Crime Complaint Center (ICCC). The complaint form can be found here.

Article courtesy of internetnews.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter