New Sober Worm Tries to Prey on World Cup Fans

BEAVERTON, Ore., May 2 /PRNewswire-FirstCall/ -- McAfee, Inc. (NYSE: MFE), the leader in Intrusion Prevention and Risk Management solutions, today announced that McAfee(R) AVERT(TM) (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of McAfee, Inc., raised the risk assessment to Medium on the recently discovered W32/Sober.p@MM, also known as Sober.p. Sober.p is a prolific worm that spreads via email, sending itself to addresses found on the victim's machine. The worm arrives as a .zip file attached to e-mail and has many of the same functionalities as its W32/Sober.k@MM predecessor. The worm was first reported to McAfee AVERT researchers this morning PST and to date McAfee AVERT has received more than 60 reports of the virus in the wild from unique senders.

Threat Overview

Sober.p is a mass mailing threat that contains its own SMTP engine to construct outgoing messages, which are written in German or English. It harvests addresses from local files and then uses the harvested addresses to send itself. This produces a message with a spoofed From address. The attachment comes in the form of a .zip file that contains an executable file inside, named "winzipped-text_data.txt.pif." The filename contains a dual extension with the first extension being .TXT, followed by many spaces and the second extension .PIF. When the ZIP archive is extracted and the contained PIF file is manually executed, the virus may display a fake error message.

Users would need to manually extract the executable from the .zip file and manually run the attachment in order to be infected.

The virus constructs messages in either German or English using random characteristics.

     German Version:
     From: (address is spoofed)
     Subject: WM-Ticket-Auslosung
     Message Body: The message body will be one of the following:
     Herzlichen Glueckwunsch,
     beim Run auf die begehrten Tickets fur die 64 Spiele der
     Weltmeisterschaft 2006 in Deutschland sind Sie dabei.
     Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
     Ihr "ok2006" Team
     St. Rainer Gellhaus

     --- FIFA-Pressekontakt:
     --- Pressesprecher Jens Grittner und Gerd Graus
     --- FIFA Fussball-Weltmeisterschaft 2006
     --- Organisationskomitee Deutschland
     --- Tel. 069 / 2006 - 2600
     --- Jens.Grittner@ok2006.de
     --- Gerd.Graus@ok2006.de

    An example of a randomly generated English message is as follows:

     From: (address is spoofed)
     Subject:  Your Password
     Body:
     Account and Password Information are attached!
     Visit: http://www. {sender's domain}
     *** AntiVirus: No Virus found
     *** "{recipient's domain} " Anti-Virus***
     http://www. {recipient's domain}

System Protection and Cure McAfee proactively protected over 8,000 McAfee VirusScan online customers in the first three hours after the discovery of Sober.p. More information on Sober.p and cure for this worm can be found online at the McAfee AVERT site located at http://vil.nai.com/vil/content/v_133409.htm . McAfee customers have been protected from this threat since the release of the 4443 DAT files on March 9, 2005. The 4443 - 4481 DAT files proactively detect this newly discovered variant as W32/Sober.gen@MM.

McAfee AVERT is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing researchers in thirteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee IntruShield(R), McAfee Entercept(R) and McAfee Foundstone(R) Professional Services organizations. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.

About McAfee, Inc.

McAfee, Inc., headquartered in Santa Clara, California is the market leader in Intrusion Prevention and Risk Management solutions. McAfee delivers innovative and proven solutions and services that secure systems and networks around the world. With McAfee's unmatched security expertise, home, business, government, and service provider customers block attacks, prevent disruptions, and continuously track and improve their security. www.mcafee.com.

NOTE: McAfee, AVERT, IntruShield, Entercept and Foundstone are either registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. The color Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

SOURCE  McAfee, Inc.
    -0-                             05/02/2005
    /CONTACT:  Tracy Ross of McAfee, Inc., Tracy_ross@nai.com, or
+1-408-346-5965; or Ally Zwahlen of Porter Novelli,
Ally.Zwahlen@porternovelli.com, or +1-408-369-4665, for McAfee, Inc./
    /Photo:  NewsCom: http://www.newscom.com/cgi-bin/prnh/20040426/MCAFEELOGO
             AP Archive:  http://photoarchive.ap.org
             PRN Photo Desk, photodesk@prnewswire.com/
    /Web site:  http://www.mcafee.com /
    (MFE)

CO:  McAfee, Inc.
ST:  California, Oregon
IN:  CPR HTS NET STW SPT
SU:  SVY

MC-EB
-- SFM161 --
1806 05/02/2005 18:35 EDT http://www.prnewswire.com