Security Advisory
Microsoft Security Advisory 912920
Systems that are infected with Win32/Sober.Z@mm may download and run malicious files from certain Web domains beginning on January 6, 2006
Published: January 03, 2006
Microsoft is aware of the Sober mass mailer worm variant named Win32/Sober.Z@mm. The worm tries to entice users through social engineering efforts into opening an attached file or executable in e-mail. If the recipient opens the file or executable, the worm sends itself to all the contacts that are contained in the system’s address book. Customers who are using the most recent and updated antivirus software are at a reduced risk from infection by the Win32/Sober.Z@mm worm.
On systems that are infected by Win32/Sober.Z@mm, the malware is programmed to download and run malicious files from certain Web domains beginning on January 6, 2006. Beginning approximately every two weeks thereafter, the worm is set to begin downloading and running malicious files from additional sites on the same Web domains.
As with all currently known variants of the Sober worm, the worm does not appear to target a security vulnerability, but rather relies on the user opening an infected attachment.
Microsoft added detection for the latest Sober variants in its December 2005 update to the Malicious Software Removal Tool and in the Windows Live Safety Center.
Customers who believe that they are infected with Sober or are not sure whether they are infected should visit Safety.live.com and choose "Protection Scan" or run the latest version of the Malicious Software Removal Tool from either Microsoft Update or Windows Update to ensure that their systems are free of infection. Additionally, Windows OneCare from Microsoft provides detection for and protection against Sober and its known variants.
Microsoft will release an updated version of the Malicious Software Removal Tool on January 10, 2006, that will further assist in the detection and removal of known malware threats including Sober and its known variants. See Microsoft Knowledge Base Article 891716 for additional details on how to deploy the Malicious Software Removal Tool with the latest definitions to help protect against malware.
For more information about Sober, to help determine whether you have been infected by the worm, and for instructions on how to repair your system if you have been infected, see the Microsoft Virus Encyclopedia. For Microsoft Virus Encyclopedia references, see the “Overview” section. We continue to encourage customers to use caution with unknown file attachments and to follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps by visiting the Protect Your PC Web site.
Mitigating Factors:
- Customers must open a malicious e-mail attachment in order to be infected by the worm.
General Information
Overview
Purpose of Advisory: Notification of increased possible activity on January 6, 2006, that is related to the Win32/Sober.Z@mm worm and the availability of mitigations against this potential threat.
Advisory Status: Advisory published
Recommendation: Review the suggested actions, and scan for and clean possible infected systems.
| References | Identification |
|---|---|
| Microsoft Virus Encyclopedia | https://www.microsoft.com/security/encyclopedia/details.aspx?Name=Win32/Sober.Z@mm |
| Malicious Software Removal Tool | Microsoft Security Web site |
| Windows Live SafetyCenter | https: |
| Windows OneCare | https://beta.windowsonecare.com |
| Symantec | W32.Sober.X@mm |
| McAfee | W32/sober@mm!m681 |
| Trend Micro | WORM_SOBER.AG Description and solution |
| CA | Win32.Sober.W |
This advisory discusses the following software.
| Related Software |
| Microsoft Windows 2000 Service Pack 4 |
| Microsoft Windows XP Service Pack 1 |
| Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) |
| Microsoft Windows XP Service Pack 2 |
| Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) |
| Microsoft Windows XP Professional x64 Edition |
| Microsoft Windows Server 2003 |
| Microsoft Windows Server 2003 for Itanium-based Systems |
| Microsoft Windows Server 2003 Service Pack 1 |
| Microsoft Windows Server 2003 with SP1 for Itanium-based Systems |
| Microsoft Windows Server 2003 x64 Edition |
| Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) |
Frequently Asked Questions
What is the scope of the advisory?
Sober is a worm that affects Windows-based computers and requires users to execute a malicious file attachment in e-mail or by clicking a link that has an infected attachment. Once the file attachment is executed, this worm and its variants will attempt to send themselves to all the contacts in a computer’s address book. Users may already be protected from Sober and its variants if up-to-date versions of antivirus software are installed.
Is this a security vulnerability that requires Microsoft to issue a security update?
No. This is not a security vulnerability. However, in consideration of the expected increased activity that is related to this variant on January 6, 2006, this update was issued to provide additional warning for users who could be infected by executing a copy the worm that they received through an attachment and to make them aware of actions that they can take ahead of time to remove any possible Sober infections.
What causes this threat?
The threat is caused by the execution of an infected file attachment in e-mail.
Is this issue related to the recent WMF issue or to Microsoft Security Advisory (912840)?
No. The Win32/Sober.Z@mm worm does not affect the recent WMF vulnerability as reported in Microsoft Security Advisory (912840).
Suggested Actions
Check for and remove the Sober infection.
Use the Microsoft Windows Malicious Software Removal Tool, Safety.live.com, or Windows OneCare to search for and remove the Sober worm and its variants from infected systems.Monitor outbound network connections to targeted Web sites.
Because the Win32/Sober.Z@mm worm may download and run malicious files from certain Web domains beginning on January 6, 2006, attempted connections to the following Web sites should be monitored for signs of an infected host on local networks. | | |--------------------| | Targeted Web sites | | people.freenet.de | | scifi.pages.at | | home.pages.at | | free.pages.at | | home.arcor.de |
Protect your PC.
We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps by visiting the Protect Your PC Web site.For more information about staying safe on the Internet, visit theMicrosoft Security Home Page.
Exercise caution opening attachments:
As a best practice, users should always exercise extreme caution when they open unsolicited attachments from both known and unknown sources.Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Other Information
Resources:
- You can provide feedback by completing the form by visiting the following Web site.
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- January 03, 2006: Advisory published
Built at 2014-04-18T13:49:36Z-07:00 </https:>