Fact Check

Sober K Virus

Information about the Sober K computer virus delivered in an email supposedly from the FBI.

Published Feb. 23, 2005


Virus:   SoberK

Status:   Real.

Example:   [Collected on the Internet, 2005]

Dear Sir/Madam,

we have logged your IP-address on more than 40 illegal Websites.

Important: Please answer our questions!
The list of questions are attached.

Yours faithfully,
M. John Stellford

++-++ Federal Bureau of Investigation -FBI-
++-++ 935 Pennsylvania Avenue, NW, Room 2130
++-++ Washington, DC 20535
++-++ (202) 324-3000

Origins:   In mid-February 2005, e-mails accusing recipients of having visited "more than 40 illegal Websites" and purporting to come from the Federal Bureau of Investigation began turning up. Those cowed by the charge into opening the attachment (indictment_cit9792.zip) unwittingly released the W32.Sober.K@mm virus into their computers, a mass-mailing worm that uses its own SMTP engine to send itself to e-mail addresses gathered from compromised computers.

The FBI has nothing to do with these letters — these missives are purely the work of the virus originator, his or her way of ensuring the attachment accompanying the e-mail gets opened and thus its payload triggered. On 22 February 2005, the FBI issued the following press release about these letters:


E-mails purporting to come from FBI are phony

Washington, D.C. - The FBI today warned the public to avoid falling victim to an on-going mass e-mail scheme wherein computer users receive unsolicited e-mails purportedly sent by the FBI. These scam e-mails tell the recipients that their Internet use has been monitored by the FBI’s Internet Fraud Complaint Center and that they have accessed illegal web sites. The e-mails then direct recipients to open an attachment and answer questions. The attachments contain a computer virus.

These e-mails did not come from the FBI. Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner.

Opening e-mail attachments from an unknown sender is a risky and dangerous endeavor as such attachments frequently contain viruses that can infect the recipient’s computer. The FBI strongly encourages computer users not to open such attachments.

The FBI takes this matter seriously and is investigating. Users receiving e-mails of this nature are encouraged to report it to the Internet Crime Complaint Center via https://www.ic3.gov.

This is not the first time a virus has been spread via an e-mail purporting to come from the FBI. In January 2004, a SoberC variant was passed along in similar fashion with its payload e-mails serving notice that "your computer was scanned" and the "contents of your computer were confiscated."

Additional information:

W32.Sober.K (Symantec) W32.Sober.K Virus (Symantec)
W32.Sober.K (Sophos) W32.Sober.K (Sophos) (Sophos)
W32.Sober.K (F-Secure) W32.Sober.K Virus (F-Secure)

Last updated:   23 February 2005

David Mikkelson founded the site now known as snopes.com back in 1994.