Computer Worm Poses as E-Mail From FBI, CIA

By Arshad Mohammed and Brian Krebs
Washington Post Staff Writers
Thursday, November 24, 2005

It's being called the worst computer worm of the year -- a fast-spreading Internet threat that looks like an official e-mail from the CIA or FBI but can leave your computer wide open to intruders.

The bogus e-mail claims the government has discovered you visiting "illegal" Web sites and asks you to open an attachment to answer some official questions. If you do, your computer gets infected with malware that can disable security and firewall programs and blast out similar e-mails to contacts in your address book. It can also keep you from getting to computer security Web sites that might help fix the problem, and it may open your Windows computer to intruders who can steal your personal data.

The worm -- named "Sober X" -- has spread so far so fast that the CIA and the FBI put prominent warnings on their Web sites making clear that they did not send out the e-mail and urging people to not open the attachment.

Across the Atlantic Ocean, Austria's equivalent to the FBI is investigating a flurry of similar bogus e-mails sent in its name to people in Austria, Germany and Switzerland, the Associated Press reported.

"This particular virus is a mass-mailer worm and is the largest one we have seen this year," said Alfred A. Huger, senior director of engineering at Symantec Corp., which sells Norton AntiVirus software. "It's as bad as it gets. With this particular type of virus on your system, there is a high probability that your personal information will be stolen."

Craig Schmugar, a virus-research manager at McAfee Inc.'s Avert Labs, said his company, which also makes anti-virus software, had logged more than 73,000 consumer computers reporting detection since the worm was discovered Monday.

British e-mail security company MessageLabs Ltd. said it has intercepted more than 2.7 million copies of Sober and its variants, noting that "the size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months."

Still, the Sober worm was listed as only a "medium-risk" worm by security companies, which noted that it was not as widespread as others in recent years, notably MyDoom, which hit computer systems early last year.

Sober is known to affect only those computers running the Windows operating system. It appears that Apple and Linux computer users were not affected.

The e-mail informs the recipient that the user's "IP-address" has accessed more than 30 illegal Web sites and that the attachment contains a list of questions that need to be answered. The e-mail also includes an authentic phone number for the FBI or CIA.

And that has kept government switchboard operators busy.

FBI operators have been routing calls and complaints to its Internet Crime Complaint Center in West Virginia, which received more than 4,000 complaints about the worm on Monday. The ICC typically receives 18,000 complaints each month, said FBI spokeswoman Cathy Milhoan.

The FBI is investigating the source of the attack, which closely resembles an e-mail worm that surfaced in February, Milhoan said, though she declined to comment on the progress of that investigation.

Brian Krebs is a reporter for

© 2005 The Washington Post Company