, SecurityFocus 2005-12-20
A 20-year-old German man turned himself and his child-porn collection into authorities after believing a message propagated by the recent Sober virus that law enforcement officers were investigating his activities, Germany's Federal Criminal Investigation Office said on Monday.
The Sober.X, also known as Sober.Y, virus attempts to fool computer users into running the malicious program by attaching itself to an e-mail that seems to come from the FBI or its German counterpart, known as the Federal Criminal Investigation Office or Bundeskriminalamt (BKA). The message implies that the law enforcement agency is investigating the recipient and asks the user to open up an attachment and answer questions.
In reality, the attachment is the Sober virus, which quickly takes control of the victim's PC to send more copies of itself, said Mikko Hyppönen, chief research officer for antivirus firm F-Secure.
"I'm glad the guy was stupid enough to get caught," Hyppönen said. "If you have to write viruses, something like the type of message is not bad."
While a prior version of the Sober virus had a similar message, this is likely the first time that a message intended to convince the recipient to run the virus scared a wrongdoer enough to turn themselves in. The Sober virus has made headlines because its creator has used the program to spread right-wing German propaganda and messages of hate. The latest variant is expected to download a payload on January 5, the anniversary of the founding of the Nazi party, according to antivirus firms.
While consumers have gotten better about distrusting the e-mail messages produced by such viruses, the number of PCs that are currently infected and compromised by the control software, known as bot software, installed by such viruses is in the millions, according to recent investigations.
The Sober virus does not install sophisticated bot software, but does compromise a PC so that it will spread future versions of the virus, F-Secure's Hyppönen said.
"Every new version of Sober infects every single computer already infected by Sober. So the bigger a Sober infection gets, the bigger the next launch of the next Sober is," he said.
The English version of the latest variant of the Sober virus has a common collection of possible messages, including notes from administrators and e-mail bounce notifications. In addition, there is a message that appears to come from the FBI or the CIA.
The English version of the message states:
we have logged your IP-address on more than 30 illegal Websites. Important: Please answer our questions! The list of questions are attached.
The Paderborn, Germany resident read the bulk e-mailed message sent by the latest Sober virus, panicked and contacted the police to admit he possessed child pornography, the BKA said in a statement. A search of the suspect's hard drive allegedly turned up pornographic images of minors--pictures that the suspect also sent out through e-mail, the BKA stated.
The FBI did not immediately know if any similar cases had occurred in the United States.