Microsoft Security Advisory on Win32/Sober

Hi everyone, Stephen Toulouse here. There is a lot of activity happening within the MSRC this week so I wanted to make sure that, in addition to the guidance we’ve put out around the WMF vulnerability, that we also let you know that we’ve issued a security advisory regarding recent variants of the Win32/Sober worm.  To be clear, these are separate and unrelated issues, however getting guidance out to customers is equally important when customers are faced with any sort of malicious threat. 


The antivirus community has been tracking variants of Win32/Sober, a mass mailer worm that attempts to entice users into opening an attached executable or clicking a malicious URL via IM.  The worm doesn’t appear to target a security vulnerability, but rather relies on the user opening the attachment or clicking a link in their IM window to execute.


On systems already infected by Win32/Sober.Z@mm, the malware is programmed to download and run malicious files from certain Web domains beginning on January 6, 2006.  Beginning approximately every two weeks thereafter, the worm is set to begin downloading and running malicious files from additional sites on the same Web domains.


We’ve added detection for the latest Sober variants to the Malicious Software Removal Tool and the Windows Live Safety Cente and customers who think they might be infected can go to and choose “Protection Scan” to remove all known variants of Win32/Sober.  The Malicious Software Removal Tool will also be updated as part of the regular, security update release cycle on January 10, 2006 to scan and remove any known infections of Win32/Sober.Z from a users’ computer.  


We have issued a security advisory to provide guidance to affected customers to help protect themselves which is available here.






*This posting is provided “AS IS” with no warranties, and confers no rights.*