McAfee Raises the Risk Assesment For Sober.k

by CXOtoday Staff    Feb 01, 2005

McAfee, today announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the research division of McAfee, raised the risk assessment to ‘Medium’ on the recently discovered W32/Sober.k@MM, also known as Sober.k.

Sober.k is a mass mailing threat that contains its own SMTP engine to construct outgoing messages, which are written in German or English. It harvests addresses from local files and then uses the harvested addresses to send itself. This produces a message with a spoofed ‘From’ address.

An attachment comes in the form of a .zip file that contains an executable file inside. The filename contains a dual extension with the first extension being .txt, followed by many spaces and the second extension .PIF.

Users would need to manually extract the executable from the .zip file and manually run the attachment in order to be infected. There is no exploit launching the executable automatically. The importance of the mail is set to “High” (this will only have an effect for certain mail clients).

After being executed, Sober.k copies itself into the Windows system directory using a constructed name from a pool of strings and thus is variable

McAfee recommends that users log on to McAfee Alert Notification to download the 4424 DAT files, so as to prevent infection.