Antivirus software does not provide any reliable protection against current threats. Viruses like Sober tend to change every few hours well in advance of AV signature updates. The fact that an attachment did not get marked is no indication that it is harmless. We do receive reports of up to date versions of AV software missing some of the recent Sober variants.
Sober is now considered the “largest virus outbreak of the year” according to F-Secure (thanks Matthias J. for pointing this out). It looks like the fake FBI e-mails are working for them.
Note from reader Marc R: Please do not have your AV software reply to viruses. All commonly seen viruses use fake ‘From:’ headers. Rumor has it that fbi.gov is having a hrad time keeping up with all the bounces in the first place.
One not of interested: We had another Sober outbreak last year in June, around the same time we had the “Download.ject”. Download.Ject (aka Berbew) used a Internet Explorer exploit to download and install a trojan. A number of well known, trusted, web sites had been compromissed and spread the trojan.
None of these does anything new or fancy. They all try to trick users into executing the attached ZIP file. The best defense at this point is probably to strip ZIP file attachments.
The subjects and the body text vary widely. Many of them suggest that the attachment was sent by some government authority (FBI, CIA) and requests that you open it in order to verify some charges brought against you. A version in German refers to the ‘BKA’ (German equivalent of FBI). Other versions claim to be sent by banks and ask you to open an attachment to verify account details.
List of links about Sober:
Symantec (Level 3 risk) W32.Sober.X@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.x@mm.html
McAfee (currently Low risk) W32/Sober@MM!M681
http://vil.nai.com/vil/content/v_137072.htm
Trend Micro (Medium risk) WORM_SOBER.AG
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EAG
F-Secure (Radar Level 2) Sober.Y
http://www.f-secure.com/v-descs/sober_y.shtml
Sophos (low risk) W32/Sober-{X, Z}
http://www.sophos.com/virusinfo/analyses/w32soberx.html
http://www.sophos.com/virusinfo/analyses/w32soberz.html
Computer Associates (Medium risk) Win32.Sober.W
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=49473
Panda Antivirus (Medium risk) Sober.Y
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=92673&sind=0
