Data Doctor: Source of spoofing Sober worm difficult to identify - East Valley Tribune: Business

Data Doctor: Source of spoofing Sober worm difficult to identify

Font Size:
Default font size
Larger font size

Posted: Monday, December 12, 2005 10:44 am | Updated: 10:15 am, Fri Oct 7, 2011.

Q: This last week I received numerous e-mails with the Sober virus attachment and didn’t open any of the attachments. But a couple of them were addressed from my employer. How do they get this info? — Penny

A: The Sober family of worms has been around since late 2003, and to date there are more than 30 variants.

The basic difference between a worm and a virus is that a virus spreads on a fileto-file basis, while worms spread on a machine-tomachine basis. The latter worms its way through computer networks, including the world’s largest computer network otherwise known as the Internet.

One of the most common traits of today’s worms and viruses is that they spoof the "From: Address" part of the recipient’s e-mail to trick folks into thinking that the message is legitimate and to confuse the recipient. The virus and worm writers figured out a while ago that if the infected machine’s e-mail address was used in the "From:" section, it would be easy for the recipient to notify the sender that they were infected. By randomly selecting an e-mail address (that is, harvested from the infected machine’s address book) as the sender, the recipient would notify the wrong party that they received an infected message from them.

This confusion helps keep the virus infection alive because the infected party continues on with life with no idea that they are infected.

What you are experiencing is caused by someone infected with the Sober worm that has both your and your company’s e-mail addresses in its address book. Your company’s address was randomly selected as the sender.

Because you got the message and your company’s email address was spoofed as the sender, you can narrow the possible infected parties to those that would have a reason to have both addresses in their address book (which can be numerous).

Your company’s IT department may want to consider sending out a warning message to all of its employees to update their anti-virus software and run a full system scan to make sure the worm is not being sent by one of the company systems. Be sure they encourage everyone to also check their personal machines, as they may also have both addresses and be the culprit.

It is equally likely that the infected system is one that is owned by a customer or vendor, as they would also have both your address and your company’s address in their address books.

The most current variant of the Sober worm has a payload that is set to trigger on Jan. 5 and will instruct infected systems to download new instructions and likely create another massive wave of infected email messages. All of today’s anti-virus software is capable of detecting and blocking out this worm, but only if it is up-to-date.

One of the characteristics, however, is that it will attack your anti-virus software and lower the settings so they can do their damage, so don’t assume that everything is just fine because you see the antivirus program’s icon next to your clock.

If you want to make sure your anti-virus program has not been compromised, you can use an online virus scan (such as the one from Trend Micro at http:// to make sure your system is clean.

  • Discuss

'EV Women in Business'

A PDF of the Tribune special section, featuring a mix of sponsored content from our loyal advertisers and newsroom coverage of the East Valley business community.

Your Az Jobs