Fact Check

Sober.X (aka 'Illegal Websites') Virus

Information about the Sober.x (aka 'Illegal Websites') computer virus warnings.

David Mikkelson

Published Nov. 21, 2005

Claim:

Virus:   Sober.X (aka "Illegal Websites")


Status:   Real.

Example:   [Collected on the Internet, 2005]




Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505

++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535



Origins:   Like

the earlier Sober.C mass-mailing worm which hit in 2003, this latest version (Sober.X) employs phony warning messages supposedly sent by law enforcement agencies which claim to be tracking illegal Internet activity. In this case, the messages purport to come from a "Steve Allison," an investigator with either the FBI or the CIA, and state that the recipient has visited "more than 30 illegal Websites," presenting him with a "list of questions" he must answer. The whole thing is, of course, a fiction inteded to lure the reader into opening the attached .ZIP file so that the worm can spread to his PC.

Once it has infected a system, Sober.X may disable security and firewall programs, replicate itself by sending messages to contacts found in e-mail address books, block access to computer security web sites, and open security holes that allow outsiders to access personal data.

Sober.X e-mails are sent out with a variety of subject lines:


  • hi, ive a new mail address
  • Mail delivery failed
  • Paris Hilton & Nicole Richie
  • Registration Confirmation
  • smtp mail failed
  • You visit illegal websites
  • Your IP was logged
  • Your Password

The FBI has placed an alert about these messages on its web site:



The FBI today warned the public to avoid falling victim to an on-going mass e-mail scheme wherein computer users received unsolicited e-mails purportedly sent by the FBI. These scam e-mails tell the recipients that their Internet use has been monitored by the FBI and that they have accessed illegal web sites. The e-mails then direct recipients to open an attachment and answer questions.

The e-mail appears to be sent from the e-mail addresses of mail@fbi.gov and admin@fbi.gov. There may be other similarly styled addresses. The recipient is enticed to open the zip attachment which contains a w32/sober.jen@mm worm. The attachment does not open and its goal is to utilize the recipient's computer to garner information. Secondly, the virus allows the e-mail to be forwarded to all those listed in the recipient's address book.


Only Microsoft Windows platforms are vulnerable to Sober.X.

Symantec offers removal instructions and updated virus definitions to help combat Sober.X.

Last updated:   24 November 2005




  Sources Sources:

    Mohammed, Arshad and Brian Krebs   "Computer Worm Poses as E-Mail From FBI, CIA."

    The Washington Post.   24 November 2005   (P. D1).

    Reuters.   "Scam E-Mails Warn of FBI Monitoring, Agency Says."

    21 November 2005.


By David Mikkelson

David Mikkelson founded the site now known as snopes.com back in 1994.