New Sober Worm Poses As Microsoft Patch

A new virus discovered Monday plays off fears generated by last week's wave of worms by masquerading as a patch from Microsoft that purportedly keeps MyDoom at bay.

Sober.d, also dubbed Roca.a by some security firms, arrives in an e-mail message with a subject that reads "Microsoft Alert: Please Read!" (The worm also comes in a German flavor, with a matching headline of "Microsoft Alarm: Bitte Lesen!")

The message's text then goes on to urge the recipient to open the attached file, which can arrive either as an executable, or within a password-protected Zip archive. The attachment, claims the message, will protect the user's computer from a new variant of the MyDoom worm, and has other text that tries to pass itself off as coming from Microsoft. (Microsoft never e-mails security updates.)

If the recipient launches the attachment, the worm scans the PC to see if it's already infected. If not, Sober.d displays a dialog box titled "Windows Update --MS-Q4232361791-" with the message: "The patch has been successfully installed."

If the computer has been infected, the dialog's message changes to: "This patch does not need to be installed on this system," giving users an even greater false sense of security, said Ken Dunham, the director of malicious code research at iDefense, in an e-mail to TechWeb.Sober.d isn't the first worm to pose as a security update from Microsoft. Last year's Swen outbreak, for instance, successfully used this trick to infect thousands of computers.

Anti-virus firms reacted by updating their virus definitions to take the new Sober into account, and by bumping up alert levels. Network Associates, for instance, tagged Sober.d as a "medium" threat, while rival Symantec labeled it as only a "2" in its 1 through 5 scale.