[unisog] German email

Axel Pettinger api at worldonline.de
Tue May 17 22:28:27 GMT 2005


Bob Johnson wrote:
> Yes, it is all over the place.  It is spam probably related to a 
> German political campaign and/or the 60th anniversary of the end of WW 
> II.  

I doubt the latter. It's more likely that the reason for the spam is the
election in the largest population state "Nordrhein-Westfalen" (engl.
North Rhine-Westphalia) in Germany on Sunday (22nd). F-Secure's
description of what they call "Sober.Q" mentions that the spamming ends
after May, 22nd.

The last creation of the Sober worm author which sent this type of spam
mails appeared on June 11th, 2004. That was only a few days before an
election in the German state "Thüringen" (engl. Thuringia) and the
election for the European Parliament.

> My limited German language skills suggest that it is anti-immigration,
> nationalistic stuff.  The spam is claimed by many analysts to 
> originate from systems infected with some variant of the sober virus, 
> but the spam I've seen does not actually carry the virus.

The spam sending variant is more a backdoor trojan than a worm as it
cannot spread itself. The Sober worm variant which appeared first on May
2nd downloaded it and was then replaced by the trojan. I have no doubts
that the trojan will itself be replaced by another variant of the Sober
worm in a few days. The trojan is the reason why you shouldn't see a
single new coming mail with the Sober worm as attachment at the moment.

Axel Pettinger

More information about the unisog mailing list