How do they get this info?

Question

This last week I received numerous emails with the Sober virus attachment & didn't open any of the attachments. But, a couple of them were addressed from my employer. How do they get this info?

- Penny

Answer

This question was answered on December 8, 2005. Much of the information contained herein may have changed since posting.

The Sober family of "worms" has been around since late 2003 and to date their are over 30 variants (The basic difference between a worm and a virus is that a virus spreads on a file-to-file basis, while worms spread on a machine-to-machine basis The latter "worms" its way through computer networks including the worlds largest computer network otherwise known as the Internet.)

One of the most common traits of today's worms and e-mail viruses is that they "spoof" the From: address to trick folks into thinking that the message is legitimate and to confuse the recipient.

The virus and worm writers figured out a while ago that if the infected machines e-mail address was used in the From: section, it would be easy for the recipient to notify the sender that they were infected By randomly selecting an e-mail address (that is harvested from the infected machine's address book) as the sender, the recipient would notify the wrong party that they received an infected message from them.

This confusion helps keep the virus infection alive because the infected party continues on with life with no idea that they are infected.

What you are experiencing is caused by someone that is infected with the Sober worm that has both your and your companies e-mail addresses in its address book (Your companies address was randomly selected as the sender) Since you got the message and your companies e-mail address was spoofed as the sender, you can narrow down the possible infected parties to those that would have a reason to have both addresses in their address book (which can be numerous).

Your companies IT department may want to consider sending out a warning message to all of its employees to update their anti-virus software and run a full system scan to make sure the worm is not being sent by one of the company systems Be sure they encourage everyone to also check their personal machines as they may also have both addresses and be the culprit.

It is equally likely that the infected system is one that is owned by a customer or vendor as they would also have both your address and your companies address in their address books.

The most current variant of the Sober worm has a payload that is set to trigger on January 5th and will instruct infected systems to download new instructions and likely create another massive wave of infected e-mail messages.

All of today's antivirus software is capable of detecting and blocking out this worm, but only if it is up-to-date One of the characteristics, however, is that it will attack your antivirus software and lower the settings so they can do their damage, so don't assume that everything is just fine because you see the antivirus program's icon next to your clock.

If you want to make sure your antivirus program has not been compromised, you can use an online virus scan (such as the one from Trend Micro at HouseCall.AntiVirus.com) to make sure your system is clean.

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on December 8, 2005