Thanksgiving will bring a Sober hangover

The largest virus outbreak this year will gain new momentum when the US comes back from its Thanksgiving break, say experts. IT managers should brace themselves

The latest outbreak of the Sober worm will accelerate as US computer users turns the PCs back on after the Thanksgiving holiday, security firm MessageLabs warned on Friday.

Business users will return from the break and open mail that has been sitting in their inbox since the first hours of the attack, which could include infected emails, MessageLabs warned.

Sober-Y spreads in emails that pretend to come from the FBI or which claim to contain video clips of celebrity heiress Paris Hilton. It is activated if the user runs an email attachment.

"Once this worm has been activated behind a firewall, it's very difficult to identify, as most firewalls don't inspect outbound data traffic." said Paul Wood, senior analyst at MessageLabs.

Businesses may also be suffer if their mail servers are swamped by email traffic caused by infected home users.

"Businesses may suffer collateral damage due to the volume of mail hitting people's mailservers. Even secure business servers may be affected, as spam still consumes bandwidth before it can be rejected," said Wood.

This week's Sober attack is the largest that MessageLabs has seen in 2005. "This is the biggest outbreak of a mass-mailing virus all year. It is a concern because we thought we'd seen the last of mass-mailers," said Wood.

Experts at antivirus company Sophos also see Sober-Y as a major threat. Globally, one in 18 emails are now infected by the Sober worm, Sophos said on Friday.

"The new Sober worm is spreading at such a rate that it now accounts for over 80 percent of all viruses reported. It is currently the most widespread computer virus in the world," said Graham Cluley, Sophos' senior technology analyst.

If activated, Sober-Y attempts to turn off security software on the user's computer. The zip file in the attachment contains a copy of the worm with the filename File-packed_dataInfo.exe. The worm then scans the user's hard drive for other email addresses, in its search for other computers to infect, Sophos said.

MessageLabs believes Sober-Y could continue to spread in large quantities for some time, as the auto switch-off function used in most mass-mailing malware hasn't been enabled.

"Normally you would see an auto switch-off function included in the code, because controllers don't want to draw too much attention to their botnets — so there's a cut-off date, and the outbreak stops. We haven't seen a cut-off date in this Trojan, so this outbreak could continue for some time," said Wood.

This outbreak is likely to be financially motivated. MessageLabs believes that cybercriminals may be trying to increase the number of compromised computers they have access to before Christmas, for financial gains.

"We believe botnet controllers are bolstering their botnets before Christmas, to sell access to spammers," said Wood.

The source code for Sober originated in Germany, but is now being used by Eastern European criminal gangs, said MessageLabs.

IT managers were advised to actively monitor their outbound email traffic for evidence that they have been infected by Sober-Y, and not just rely on a firewall. "It's certainly a challenge for organisations to control email traffic just by using a firewall. IT managers can manage this particular outbreak by protecting HTTP and SMTP traffic," said Wood.