Hi everyone, Stephen Toulouse here. There is a lot of activity happening within the MSRC this week so I wanted to make sure that, in addition to the guidance we’ve put out around the WMF vulnerability, that we also let you know that we’ve issued a security advisory regarding recent variants of the Win32/Sober worm. To be clear, these are separate and unrelated issues, however getting guidance out to customers is equally important when customers are faced with any sort of malicious threat.
The antivirus community has been tracking variants of Win32/Sober, a mass mailer worm that attempts to entice users into opening an attached executable or clicking a malicious URL via IM. The worm doesn't appear to target a security vulnerability, but rather relies on the user opening the attachment or clicking a link in their IM window to execute.
On systems already infected by Win32/Sober.Z@mm, the malware is programmed to download and run malicious files from certain Web domains beginning on January 6, 2006. Beginning approximately every two weeks thereafter, the worm is set to begin downloading and running malicious files from additional sites on the same Web domains.
We've added detection for the latest Sober variants to the Malicious Software Removal Tool and the
We haveissued a security advisory to provide guidance to affected customers to help protect themselves which is available here.
*This posting is provided "AS IS" with no warranties, and confers no rights.*