curtis Posted November 22, 2005 Posted November 22, 2005 As of November 21, 2005 2:20 PM Pacific Standard Time (PST, GMT -8:00), a Medium Risk Virus Alert was declared to control the spread of WORM_SOBER.AG. There have been several infection reports indicating that this malware is spreading in the USA, Belgium, Canada, Brazil, and New Zealand. This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since it's email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages. The email it sends out has the following details: From: {Email address generated by this worm} Subject: (any of the following) • hi,_ive_a_new_mail_address • Mail delivery failed • Registration Confirmation • smtp mail failed • Spam: Registration Confirmation • Your Password • Your IP was logged • Paris_Hilton_&_Nicole_Richie • You visit illegal websites Message body: (any of the following) hey its me, my old address dont work at time. i dont know why?! in the last days ive got some mails. i' think thaz your mails but im not sure! plz read and check ... cyaaaaaaa --- This is an automatically generated Delivery Status Notification. SMTP_Error [] I'm afraid I wasn't able to deliver your message. This is a permanent error; I've given up. Sorry it didn't work out. The full mail-text and header is attached --- Account and Password Information are attached! ***** Go to: http://www.{random}.com ***** Email: {random}.com --- Dear Sir/Madam, we have logged your IP-address on more than 30 illegal Websites. Important: Please answer our questions! The list of questions are attached. Yours faithfully, Steven Allison *** Federal Bureau of Investigation -FBI- *** 935 Pennsylvania Avenue, NW, Room 3220 *** Washington, DC 20535 *** phone: (202) 324-3000 --- Account and Password Information are attached! --- The Simple Life: View Paris Hilton & Nicole Richie video clips , pictures & more Download is free until Jan, 2006! Please use our Download manager. Attachment: (any of the following) • mailtext.zip • mail.zip • reg_pass.zip • mail.zip • reg_pass-data.zip • question_list.zip • list.zip • downloadm • mail_body.zip The attached .ZIP file contains the copy of this worm using the following file name: File-packed_dataInfo.exe When executed, it displays a fake error message box in order to trick a user into thinking that the file did not properly execute. This worm searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks. Quote
TCH-Bruce Posted November 22, 2005 Posted November 22, 2005 I've been getting these all day long. I just didn't have time to do any research. Thanks Curtis! Quote
TCH-Bruce Posted November 22, 2005 Posted November 22, 2005 My virus definitions this morning is catching the attachment. Everyone make sure your virus definitions are up to date! Quote
jnull Posted November 22, 2005 Posted November 22, 2005 Been gettin' these all day long, too... and now within the last 30 minutes it's like email died -- no email, and I have TCH hosted clients reporting the same. Have submitted a support ticket about 20 minutes ago, but of course no reply since email is dead (though I am tracking it through the support web page). Other than that, having a pretty slow afternoon.... Quote
TCH-Bruce Posted November 22, 2005 Posted November 22, 2005 I received over 120 in an 8-hour period. Wonder how many the account will collect overnight. Quote
curtis Posted November 23, 2005 Author Posted November 23, 2005 I don't know how many I have received today but its more than my share. Fortunately my anti-virus quarantines the attachments as soon as they hit my inbox. Quote
jnull Posted November 23, 2005 Posted November 23, 2005 Just checked my email this a.m. and caught 44 spam messages, half of them being this little bugger... and am happy to with my AV as it is also zapping these fellas. Happy Thanksgiving day to all... Quote
mike Posted November 27, 2005 Posted November 27, 2005 Yep, me too. Thank God for antivirus updates. I informed all my address book to make sure they are updated and clean. thanks TCH Quote
jayson Posted November 27, 2005 Posted November 27, 2005 wow, I must have lucked out, I have not gotten the bug, but I guess my time is due.. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.