This Alert is being sent to notify you of recent worm activity that has propagated across the Internet in the past 24 hours.  The following bulletin is meant to provide you with information about the worm and the steps that Perimeter Internetworking has taken to protect its customer base.

About the Sober Y Worm
This variation of the Sober worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since its email propagation does not require any user intervention, affected users are often unaware that this worm is sending out email messages from their machines.

The email messages it sends out may be written in English or in German. Like other mass-mailers, this worm utilizes social engineering techniques, such as promises of celebrity pictures or alerts regarding alleged illicit behavior, in order to entice users into opening the attached worm copy on the email messages it sends. Specifically, some versions of this worm email spoof the Federal Bureau of Investigation (FBI) or Central Intelligence Agency (CIA), notifying the user that the agency has found evidence of the user supposedly visiting illegal Web sites. Similarly, one of the German email messages spoofs Bundeskriminalamt, and threatens legal action against the user's alleged downloads of films, software, and MP3 files.

To become infected, recipients must click on the attachment, which is zipped, then unpack the zipped file, and then agree to run the executable file that appears.  That provides several chances for a consumer to realize something is suspicious.
End User Protection

Since this worm requires the user to unpack and unzip the infected email it is recommended that all users take extra caution when dealing with emails that contain zipped attachments.  

Steps taken by Perimeter to Protect Customers from the Worm Activity

Desktop AV Customers:  All Desktop AV clients that subscribe to Trend's Services were pushed a forced AV update to their systems. As a precautionary measure the Damage Cleanup Utility from Trend (DCT/DCE) was pushed to the desktop clients to identify and stop any Worm activity that may have infected desktop users from other mechanisms.

Gateway Defender Customers:  A global block was placed on our gateway to temporary disallow any .zip files into the SMTP gateways since this worm propagates through .zip infected emails. An email was sent to all customers informing them of our actions shortly after the blocking mechanisms were in place.

In addition, continuous monitoring was conducted on the Gateway to identify suspicious external IP addresses attempting to make connections from the Public Internet.  All suspicious activity associated with the worm outbreak was blocked at the gateway.

SMTP Customers: Since this worm had such a large impact and mass mailings were causing latency across the Internet, Perimeter took additional measures to monitor its mail queues on a more frequent basis to detect anomalous behavior.  As spikes in our mail queues were beginning to rise, Perimeter allocated additional capacity to our email servers.  This was done to reduce the amount of latency experienced by our customers.

Customer Premise (CP) Location Firewall and AV Customers - Customer’s subscribing to Perimeter’s customer premise managed firewall and AV services received updates to their devices that would quarantine all activity associate with this worm.

Perimeter Worm Statistics
Perimeter has successfully stopped 60,000 copies of Sober-infected e-mails at their email gateways within the first 24-hours after the worm began circulating.  This statistic does not account for the majority of pre-protection measures, described above, that Perimeter has taken to protect customer’s subscribed to the Gateway defender services.