FortiGuard Advisory (FGA-2005-05)

On Monday 2 May (PDT) Fortinet received the first samples of Sober.P, a Mass-mailer that sends itself to addresses harvested from the infected system. Messages are sent in German and English, which is similar to the techniques deployed by previous variants of the worm. As with other variants of the Sober worm, it originated in Germany. At first samples received were from Germany and surrounding areas, however, Fortinet soon received reported sightings of the worm from across Europe and the USA.

Once again, the creators of the worm resorted to developed social engineering techniques. Firstly, depending on the suffix of the email address the message was sent in English of German. Email addresses with the following strings received the message in German:

• .at
• .li
• gmx.

As computer users are more used to receiving malware or spam in English, such a technique may encourage them to lower their defences Secondly the some of the messages and attachments of the email (shown below), led unsuspecting victims to believe that the mail was related to football tickets from FIFA — again tempting some to click on the attachment Below are some examples of subject lines used by the virus -

	Ihr Passwort
	Mail-Fehler!
	Ihre E-Mail wurde verweigert
	Ich bin’s, was zum lachen ;)
	Glueckwunsch: Ihr WM Ticket
	WM Ticket Verlosung
	WM-Ticket-Auslosung
	Your Password
	Registration Confirmation
	Your email was blocked
	mailing error

Below are some of the file attachments used by the virus -

	%text%Fifa_Info-Text.zip
	%text%okTicket-info.zip
	%text%_PassWort-Info.zip
	%text%autoemail-text.zip
	%text%LOL.zip
	%text%mail_info.zip
	%text%our_secret.zip
	%text%error-mail_info.zip

Thirdly the worm deployed the increasingly common technique of circumventing email addresses related to some antivirus vendors — thus avoiding raising its profile amongst the community that may be able to stop its spread, increasing the window of opportunity for propagation.

Fortinet believes that as computer users become increasingly security aware, virus writers are having to constantly develop their social engineering techniques to entice them to click on malicious attachments.

Propagation statistics (derived from reports generated by Fortinet Fortigate™ systems, deployed worldwide, having eliminated the worm)

Based on these numbers it reached the number one position in Fortinet's list of top threats within 24 hours. Sober.P was to become the worst outbreak Fortinet has registered so far this year.

Sightings of the worm finally slowed down on May 10, dropping dramatically from 36% to 14% of all reported viruses. At this point Fortinet reduced its threat level from 4 (5= high, 1=low) to level 3. It would appear that on May 10 Sober.P put itself into a dormant state. However, the traffic it produces on an infected machine seems to indicate that we can expect more outbreaks when the virus "wakes up"…

For further information, please see: W32/Sober.P-mm description.

Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.