Emails arrive which encourage victims to click on attachments purporting to be threats from the FBI or videos clips of Paris Hilton and her reality TV co-star Nicole Richie. In reality, the attachment is a minor modification of the Sober virus that has flared up several times over the past year.
One version of the email carrying the worm appears to be a letter from the FBI saying the agency has found evidence the computer user has been visiting illegal websites. It asks the recipient to click on the attachment to answer questions.
The email claims to have been sent by an FBI agent with the message: ‘We have logged your IP-address on more than 30 illegal Websites. Important: Please answer our questions! The list of questions are attached.’ That ‘list’ of questions is attached as a .zip file and in fact contains the virus.
The FBI released a warning on November 22, 2005 saying it never sends unsolicited emails. The FBI takes this matter seriously and is investigating. Users are instructed to delete the email without opening it, it said.
Another version of the email used a message purporting to be from the Central Intelligence Agency. A third, a German-language variant, contained a threatening message from a German law enforcement agency. A separate version purports to offer a download manager for video clips, pictures and more of Hilton and Richie.
The good news is that while this version is virulent, it does not appear to have much of a payload. But security company F-Secure said internet companies have seen several millions of infected emails over the course of hours. The numbers we’re now seeing… are just huge, warned F-Secure’s chief research office Mikko Hypponen. This is the largest email worm outbreak of the year, so far.
If activated, the worm drops several files onto a computer and searches for email addresses stored in address books or elsewhere in memory and sends copies of itself to those destinations. If it finds Microsoft’s anti-spyware and antivirus software running, it turns the protections off.
Several other variants of a different virus, dubbed Mytob, are also making the rounds. The emails carrying them purport to be a message from an email service provider or from support staff providing notification about a changed password or suspended account.
