New Worm about ... be on your guard

muckshifter

I'm not weird, I'm a limited edition.
Moderator
Joined
Mar 5, 2002
Messages
25,750
Reaction score
1,209
As of November 21, 2005 2:20 PM Pacific Standard Time (PST, GMT -8:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.AG. TrendLabs has received several infection reports indicating that this malware is spreading in the USA, Belgium, Canada, Brazil, and New Zealand.

This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own ple Mail Transfer Protocol (SMTP) engine. Since it's email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.

The email it sends out has the following details:

From: {Email address generated by this worm}

Subject: (any of the following)
*ive_a_new_mail_address
*Mail delivery failed
*Registration Confirmation
*smtp mail failed
*Spam: Registration Confirmation
*Your Password
*Your IP was logged
*Paris_Hilton_&_Nicole_Richie
*You visit illegal websites

Message body: (any of the following)
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!
plz read and check ...
cyaaaaaaa

---

This is an automatically generated Delivery Status Notification.

SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached

---

Account and Password Information are attached!
***** Go to: http://www.{random}.com
***** Email: {random}.com

---

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

---

Account and Password Information are attached! ---

The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more
wink.gif

Download is free until Jan, 2006!
Please use our Download manager.


Attachment: (any of the following)
*mailtext.zip
*mail.zip
*reg_pass.zip
*mail.zip
*reg_pass-data.zip
*question_list.zip
*list.zip
*downloadm
*mail_body.zip


The attached .ZIP file contains the copy of this worm using the following file name:
File-packed_dataInfo.exe

When executed, it displays a fake error message box in order to trick a user into thinking that the file did not properly execute.

This worm searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.


TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy (Beta) - 187 (Released)
Official Pattern Release - 2.957.00 (ETA: 1.5 hrs)
Damage Cleanup Template - 678 (Being created)
Network Virus Wall - 10232 (Being created)



Keep a lookout for updates to your AV program. :thumb:
 
Well I have been a recipient of two types of emails above and my AntiVirus already intercepted the mail. Looks like the worm has made it to my place as well besides the countries listed above. For those who are curious the two types are as follows:

Subject:
*Your Password
*Your IP was logged (with exactly same message as indicated by Mucks from Steven Allison) having an attachment: *list.zip :eek:

Looks like my Anti Virus program is protecting me nicely ;)
 
You gotta be a bit of a plonker to open that :D

But I suppose a lot of kids could fall for it.

Good warning Mr Mucks :)
 
I have had this one tonight - Norton and my other bits and bobs didn't pick it up - thought it was dodgy and sent to the spam box straight away!

See below:

This is an automatically generated Delivery Status Notification.

SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached


I have had Norton pick up loads of worms/Trojans in recent days and heaven knows why!!

Gabs xx
 
No, make that 2 - went through the helpful lists and recognised 2 of them. Thankfully I am a bit more savvy these days!!

Gabs xx
 
gabriella said:
No, make that 2 - went through the helpful lists and recognised 2 of them. Thankfully I am a bit more savvy these days!!

Gabs xx
GOOD ...

They are worms ... Aliases: [Win32.]Sober.W; [Win32.]Sober.W!ZIP; [W32/]Sober.Z@mm (F-Secure); [Email-Worm.]Win32.Sober.y (Kaspersky); [Win32/]Sober.W!Worm;
the latest being ... W32/Gibe-F

;)
 
Hi Mucks

It's strange but over the last 2 weeks or so I have had loads of emails being flagged as Worms/Trojans by Norton and then today, 2 from the list you supplied earlier in the thread. They weren't picked up but I didn't like the look of either of them. Goodness knows where they are all coming from because my internet useage is very humble, limited to this site and a couple of professional/work sites.

I have checked my army of AV/AS etc... and they are all running fine, up to date etc......

Better keep my eyes open and if those kids of mine DARE open anything dodgy well.....I could be had up for some terrible crime!!!!!!!

Gabs xx
 
a worm ain't a virus ... ;-)

They are "doing the round" again ... that lot are oldies and your AV should pick 'em off no bother ... but the new "worms" are being sent out ... you still have to open/click on them, so look out.

Contact your ISP and tell them you are being spamed by these things and would they kindly ...

DO SOMETHING ABOUT IT
 
Worm Virus

Yeah I had one of these wierd things last night, it was headed you been viewing illegal sites, your ISP is disconnecting your service. My AV caught it its now in the quarantine folder.:( I think we all got to beware of these mails. Marina
 
Back
Top