Worm masquerades as Microsoft patch
![munir-kotadia.jpg](https://www.zdnet.com/a/img/resize/a9c46e965b5c5b25d058d5cfe616385d51c003a2/2014/07/22/ff94b4a9-1174-11e4-9732-00505685119a/munir-kotadia.jpg?auto=webp&fit=crop&frame=1&height=192&width=192)
Sober.D, discovered on Monday, is technically similar to its previous incarnation as Sober.C, where it used its own SMTP engine to send copies of itself to e-mail addresses found on infected systems. But the latest version displays fake Microsoft warnings and error messages.
"It arrives in an e-mail that pretends to be a patch to protect against a version of MyDoom," said Graham Cluley, a senior technology consultant at antivirus company Sophos. "The e-mail appears to be a Microsoft patch, so people will of course double-click on that attachment."
According to Finnish antivirus company F-Secure, Sober.D spreads either as an executable attachment or inside a password-protected Zip archive attached to an e-mail. Once a person clicks on the file, the worm scans the PC to see if it has already been infected.
If the system is clean, a small box appears with the message: "This patch has been successfully installed." If the system is already infected with Sober.D, the message says: "This patch does not need to be installed on this system."
Sober.D also changes its language depending on where it is being sent. If the recipient's e-mail address has a "de," "ch," "at," "li," "nl" or "be" extension, the text will be in German and the subject will read: "Microsoft Alarm: Bitte Lesen." Otherwise the subject line is in English and reads: "Microsoft Alert: Please Read!" Previous versions of Sober have also been bilingual, Cluley said.
This is not the first time that a worm has disguised itself as a Microsoft update. In January, the Xombe, or Trojan.Xombe, worm posed as a critical patch for Windows XP. This was believed to be a copycat of 2003's most successful worm, Swen, which is thought to be the first known worm to masquerade as a security warning from Microsoft.
Microsoft has always maintained that it does not e-mail patches to people, so they should ignore any such messages.