Jump to content
curtis

Worm_sober.ag

Recommended Posts

As of November 21, 2005 2:20 PM Pacific Standard Time (PST, GMT -8:00), a Medium Risk Virus Alert was declared to control the spread of WORM_SOBER.AG. There have been several infection reports indicating that this malware is spreading in the USA, Belgium, Canada, Brazil, and New Zealand.

 

This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since it's email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.

 

The email it sends out has the following details:

 

From: {Email address generated by this worm}

 

Subject: (any of the following)

• hi,_ive_a_new_mail_address

• Mail delivery failed

• Registration Confirmation

• smtp mail failed

• Spam: Registration Confirmation

• Your Password

• Your IP was logged

• Paris_Hilton_&_Nicole_Richie

• You visit illegal websites

 

Message body: (any of the following)

hey its me, my old address dont work at time. i dont know why?!

in the last days ive got some mails. i' think thaz your mails but im not sure!

plz read and check ...

cyaaaaaaa

 

---

 

This is an automatically generated Delivery Status Notification.

 

SMTP_Error []

I'm afraid I wasn't able to deliver your message.

This is a permanent error; I've given up. Sorry it didn't work out.

The full mail-text and header is attached

 

---

 

Account and Password Information are attached!

***** Go to: http://www.{random}.com

***** Email: {random}.com

 

---

 

Dear Sir/Madam,

 

we have logged your IP-address on more than 30 illegal Websites.

Important:

Please answer our questions!

The list of questions are attached.

 

Yours faithfully,

Steven Allison

 

*** Federal Bureau of Investigation -FBI-

*** 935 Pennsylvania Avenue, NW, Room 3220

*** Washington, DC 20535

*** phone: (202) 324-3000

 

---

 

Account and Password Information are attached! ---

 

The Simple Life:

View Paris Hilton & Nicole Richie video clips , pictures & more :oops:

Download is free until Jan, 2006!

Please use our Download manager.

 

 

Attachment: (any of the following)

• mailtext.zip

• mail.zip

• reg_pass.zip

• mail.zip

• reg_pass-data.zip

• question_list.zip

• list.zip

• downloadm

• mail_body.zip

 

 

The attached .ZIP file contains the copy of this worm using the following file name:

File-packed_dataInfo.exe

 

When executed, it displays a fake error message box in order to trick a user into thinking that the file did not properly execute.

 

This worm searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.

Share this post


Link to post
Share on other sites

I've been getting these all day long. I just didn't have time to do any research.

 

Thanks Curtis! :oops:

Share this post


Link to post
Share on other sites

My virus definitions this morning is catching the attachment. Everyone make sure your virus definitions are up to date!

Share this post


Link to post
Share on other sites

Been gettin' these all day long, too... and now within the last 30 minutes it's like email died -- no email, and I have TCH hosted clients reporting the same. Have submitted a support ticket about 20 minutes ago, but of course no reply since email is dead (though I am tracking it through the support web page).

 

Other than that, having a pretty slow afternoon....

Share this post


Link to post
Share on other sites

I received over 120 in an 8-hour period. Wonder how many the account will collect overnight. :)

Share this post


Link to post
Share on other sites

I don't know how many I have received today but its more than my share.

Fortunately my anti-virus quarantines the attachments as soon as they hit my inbox.

Share this post


Link to post
Share on other sites

Just checked my email this a.m. and caught 44 spam messages, half of them being this little bugger... and am happy to with my AV as it is also zapping these fellas. :)

 

Happy Thanksgiving day to all...

Share this post


Link to post
Share on other sites

Yep, me too.

 

Thank God for antivirus updates.

 

I informed all my address book to make sure they are updated and clean.

 

thanks TCH

Share this post


Link to post
Share on other sites

wow, I must have lucked out, I have not gotten the bug, :) but I guess my time is due..

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...