Home Archive FBI Virus Emails – Sober Worm

FBI Virus Emails – Sober Worm

by Brett M. Christensen

Outline:
Email, supposedly from the FBI or the CIA, claims the recipient has been logged visiting illegal websites


Status:
Email attachment contains a variant of the Sober worm.

Example:
Subject : You_visit_illegal_websites

Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.

Important:

Please answer our questions!

The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000



Detailed Analysis:
Another variant of the Sober worm, Sober X, is currently hitting inboxes around the world. A frightening aspect of this worm is that it may arrive as an email attachment that pretends to be from America’s Federal Bureau of Investigation (FBI). Some versions claim to be from the CIA rather than the FBI. The virus email claims that the recipient has been logged visiting illegal websites, and asks him or her to open the attached file to answer a list of questions. However, opening the attachment can infect the computer with a variant of the Sober worm.

It hardly needs to be said that the email is not really from the FBI. Information on the FBI’s website, states that:

We’re sorry to report yet another wave of virus-laden e-mails sent out with false FBI addresses. This particular e-mail claims the FBI has been monitoring your Internet use…says you’ve accessed so-called illegal websites…and demands you answer questions—all you have to do is open an attachment, maliciously laced with a variant of the w32/sober virus.

Don’t do it! In fact, don’t EVER respond to unsolicited poison pills like these. The FBI does not conduct business this way.

The CIA website also warns visitors about these bogus emails:

Some members of the public have in the past few days received a bogus e-mail falsely attributed to CIA’s Office of Public Affairs. CIA did not send that message. In fact, it does not send unsolicited e-mail to the general public, period. If you have gotten such a message, we strongly encourage you not to open the attachment, which contains a destructive virus.

The hidden purpose of this virus message is simply to panic recipients into clicking on the attachment and inadvertently infecting their machine. Sober X can also arrive as fake “Delivery Status Notification” message, emails that promise free Paris Hilton videos, and a variety of other messages.

An earlier variant of Sober that was hitting inboxes in early 2005 used very similar tactics (see example below).

For details about this worm and what to do about, access the Symantec write-up about Sober X by following the link below:

Such ruses are a common ploy used by virus creators. Worms can also arrive disguised as Microsoft security patches, free screensavers or other software, love letters and compromising photographs just to name a few.

Computer uses should always be very cautious of emails that arrive with attachments, even those that appear to be from people they know and trust. Many modern Internet worms use spoofing techniques to disguise the real origin of infected emails.

Reliable, and up-to-date, anti-virus software is an essential requirement for Internet enabled Microsoft Windows based computers.

Write-up by Brett M.Christensen

CIA Version:

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,

Steven Allison

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505
++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

An example from early 2005:

From: FBI@fbi.gov

To: [REMOVED]

Subject: You visit illegal websites

Dear Sir/Madam,

we have logged your IP-address on more than 40 illegal Websites.

Important: Please answer our questions!
The list of questions are attached.

Yours faithfully,
M. John Stellford

++-++ Federal Bureau of Investigation -FBI-
++-++ 935 Pennsylvania Avenue, NW, Room 2130
++-++ Washington, DC 20535
++-++ (202) 324-3000



Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,
Hoax-Slayer