Malaysia is relatively Sober-free
30th November 2005 (The Star)

PETALING JAYA: Malaysian companies and organisations were generally not affected by the Sober worm outbreak last week, several Internet security agencies reported.

According to the National ICT Security and Emergency Response Centre (Niser), there were only two reports made by organisations claiming that they had received e-mail messages attached with the Sober worm, and only one case of a PC being infected as at press time.

Niser director Kol Husin Jazri said the Sober worm has been assessed as a "medium" intensity threat by most antivirus vendors.

"We believe the threat is also not serious to Malaysian companies/organisations, compared with other worms and viruses such as Code Red, Nimda, Blaster or Nachi that have struck in the past," he told In.Tech in an e-mail interview.

The Sober worm - codenamed W32.Sober.L.@mm, and dubbed by many security experts as possibly the worst computer worm of the year - has hit millions of users globally since it first appeared in 2003.

In its latest outbreak on Nov 22, the worm could be found attached to an e-mail message, which circled the globe in the guise of different subject headings.

Some of these headings were: "Paris Hilton & Nicole Richie," "Registration Confirmation," and "SMTP mail failed," according to Niser.

But perhaps the e-mail message that was most effective at fooling users was the one that purportedly originated from the FBI or CIA. The e-mail duped users into believing that either of the two US security agencies had discovered users visiting "illegal" websites and proceeded to ask them to open an attachment to answer a series of "official questions."

If the user complied, the computer would be infected with the worm, which would then seek to disable any security and firewall programs residing on the PC. The worm also replicated itself and would be sent to other users using the infected computer's e-mail client in conjunction with the address book.

The Sober worm also prevented the user from getting to various security vendors' websites that might help fix the problem, and sometimes opened the PC to intruders who could steal personal data via a "backdoor" program.

Antivirus company Sophos Plc said it had not received any reports of infections in this country and only got a few calls from Malaysian-based customers, as it had already provided antivirus pattern files for this worm earlier in the year.

The majority of calls received were from customers seeking reassurance on the details of the worm or to confirm that their protection measures were sufficient, said Charles Cousins, its managing director for Asia.

The Abingdon, Britain-based Sophos believes that the latest outbreak used clever "social engineering" techniques that seek to manipulate users to unknowingly help spread the worm.

"This variant of the Sober worm may catch out the unwary as they open their e-mail messages. Every law-abiding citizen wants to help the police with their enquiries, and some will panic as they might be falsely accused of visiting illegal websites and want to click on the unsolicited e-mail attachment," said Cousins, in an e-mail interview.

Tokyo-based Trend Micro Inc said that while last week's Sober worm outbreak has been categorised as "medium," the damage and distribution potential of the worm is high.

"Besides terminating antivirus and malware-related processes causing systems to be vulnerable to other attacks, the worm also consumes network bandwidth because it sends out numerous e-mail messages, slowing down networks," said Wong Joon Hoong, Trend Micro (M) Sdn Bhd's country manager.

Wong said most organisations have antivirus software in place, but protection is dependent how fast the antivirus pattern file is made available, and users updating their systems.

Despite the relatively low impact of the Sober worm in the country, Niser's Husin said all users should remain vigilant and follow safe computing guidelines.

"PCs should be kept automatically updated with the latest antivirus protection and users must not open attachments they receive from an unknown source over the Internet, via e-mail or instant messengers.

"Should you need to open the attachment, ensure that you scan the attachment with an updated version of an antivirus software to detect if it contains any viruses.

"Lastly, make a report to Niser ( or to your respective Internet service provider if you've encountered a suspicious e-mail message," he said.