In a recent case in Paderborn, Germany, a man allegedly accessing child pornography saw a note appear on his screen indicating that the German national police force knew what he was up to. It urged him to turn himself in, so the 20-year-old went to the nearest station and told the dumbfounded police that he was the one they were looking for, giving them specific details about his activities.
While they won't reveal much else about the case, the German police want it to be clear that they are not scanning people's computers. A computer virus helped them apprehend the suspect.
The man was using a computer infected with a worm -- a techie term for a self-sufficient virus that spreads on its own -- called Sober.X. Its origin is unknown, but it spreads through e-mail and affects Microsoft Corp.'s Windows operating systems. And it's smart. It can determine whether the computer's user speaks German or English -- English speakers get a note from the U.S. Federal Bureau of Investigation demanding they turn themselves in. The worm also hides itself by turning off anti-virus software and blocking access to known anti-virus websites, and it sends personal information such as names and addresses from the affected computer's e-mail and Web browsers to an offshore e-mail address.
Fighting crime is just the latest in a wide range of new uses virus makers are finding for the Sober worm technology, which first appeared in late 2003. Most of the others are far less benevolent.
"Sober.X is just one of a large family of Sober worms," said Sam Masiello, director of threat management for Denver-based software security company MX Logic Inc. "They have a common core code and all deal with some form of social engineering -- they come with e-mails offering the user something they might want."
Virus makers have been honing the worm's technology, and new variants have appeared as little as a single day apart. They've included messages about things such as World Cup tickets, digital videos featuring socialite Paris Hilton, and other inducements. And they are getting more creative all the time.
"One of the most popular variants promises a digital Christmas card," said Dominic Wild, a Vancouver-based security expert with Sophos PLC, an anti-virus software vendor.
Sober-based worms are designed to spread quickly, too. MessageLabs Ltd., a British electronic security firm, says it intercepted three million copies of Sober.X within the first 24 hours of its discovery.
Besides stealing personal information, Sober worms can automatically send e-mails of their own from an infected machine, unbeknownst to the user -- not just to replicate on other computers, but also to disseminate messages, often for extremist groups. Sober worms are even being used for profit.
"It's not like the old days when viruses were all about causing chaos by bringing down files and applications," Mr. Wild said. "The people that make these worms saw that spammers could make money, so they decided to get their share."
Virus writers can arrange to have their worms do various things in return for cash. Such worms can install themselves on a computer and set themselves up to automatically "click" on pay-per-click ads, skew search engine results or pad visitor statistics at commercial websites. Because they are intended to perform a task without the permission of the computer's owner, Sober viruses are also designed to operate as inconspicuously as possible.
"They're made hard to detect so they can do their jobs," Mr. Wild said.
But they aren't always invisible.
"People start seeing a gradual slowdown in their computer," Mr. Masiello said, "because the worm is busy calling home."
As with most threats, prevention is probably a more realistic plan than finding a cure, because the worm evolves so quickly. This can be difficult, though -- Sober worms are transmitted by e-mail, and since they work by mining the address books of infected PCs, they may come in a message from what appears to be a trusted source.
"You don't have to open an attachment, you just have to open the infected e-mail," Mr. Masiello said. "So it's wise not to open e-mails from unknown sources or even odd-sounding e-mails from familiar people."
So if your grandmother is offering you bargain deals on prescription drugs, you may want to press the delete key.
