The longevity of the current Sober worm may be largely due to a new technique it uses to evade virus scans, according to antivirus firm Kaspersky Labs.
The worm, variously labelled Sober.P, Sober.S, Sober.O and Sober.V by different companies, continues to circulate in large amounts, making up 84 percent of all virus traffic as of Monday, according to Sophos. While researchers have attributed its success to the fact that it circulates in both English and German, and to its use of free World Cup tickets as a lure to users, social engineering is only part of the equation, Kaspersky said.
The new variant used a refined mechanism for blocking input/output access to its files by other programs, said Kaspersky senior research engineer Roel Schouwenberg in an alert posted this week. Previous variants used a similar technique, but didn't succeed in blocking programs running in the System account.
Sober.P does what the others didn't do and blocked the System account as well, Schouwenberg said. That meant no other programs, including antivirus scanners, could detect Sober.P while it was resident in memory, he said.
"If something can't be scanned, then malicious code can't be detected. This rules out the chance of Sober being detected while running an on-demand scan," he said in the alert, posted to Kaspersky's "Analyst's Diary" site.
While this mechanism doesn't stop an antivirus program from blocking Sober.P from infecting a computer in the first place, once a computer is infected it makes it more difficult to fix, said Schouwenberg: "If you aren't aware of infection, how can you take measures against it?"
Some antivirus products lacked the features needed to root out such an infection, namely a memory scanner and the ability to kill the worm's processes, Schouwenberg said.