New version of Sober worm pretends to be an email from FBI or CIA

Internet users are being warned of an in-the-wild worm which is pretending to be an email from an FBI or CIA investigator.

In the last four hours, the worm has accounted for over 35% of all viruses reported to Sophos, making it currently the most prevalent virus spreading across the world. The FBI is so concerned about the messages that it has issued a warning on its website.

The new version of the Sober worm arrives as an email attachment, with the following message body:

Dear Sir/Madam,

We have logged your IP-address on more than 30 illegal Websites.

Important: Please answer our questions! The list of questions are attached.

Yours faithfully,
Steven Allison
Federal Bureau of Investigation-FBI-
935 Pennsylvania Avenue, NW , Room 3220
Washington , DC 20535
Phone: (202) 324-30000

(Sometimes the emails claim to come from the same investigator, but at the CIA.)

If the attached file is run, the worm scans the user's hard drive for other email addresses, in its search for other computers to infect.

In a statement, the FBI has urged users who receive the viral emails to report them to the Internet Crime Complaint Center at

"This variant of the Sober worm may catch out the unwary as they open their email inbox this morning," said Graham Cluley, senior technology consultant at Sophos. "Every law-abiding citizen wants to help the police with their enquiries, and some will panic that they might be being falsely accused of visiting illegal websites and want click on the unsolicited email attachment. All users should be reminded to follow safe computing guidelines, and PCs should be kept automatically updated with the latest anti-virus protection. Anyone who may have information about the Sober worm's author should report it to the computer crime authorities. This malware writer has been maliciously attacking innocent computer users for over two years, and must be stopped."...[ More ][ Details ]


