- Joined
- Mar 5, 2002
- Messages
- 25,750
- Reaction score
- 1,209
As of November 21, 2005 2:20 PM Pacific Standard Time (PST, GMT -8:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.AG. TrendLabs has received several infection reports indicating that this malware is spreading in the USA, Belgium, Canada, Brazil, and New Zealand.
This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own ple Mail Transfer Protocol (SMTP) engine. Since it's email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.
The email it sends out has the following details:
From: {Email address generated by this worm}
Subject: (any of the following)
*ive_a_new_mail_address
*Mail delivery failed
*Registration Confirmation
*smtp mail failed
*Spam: Registration Confirmation
*Your Password
*Your IP was logged
*Paris_Hilton_&_Nicole_Richie
*You visit illegal websites
Message body: (any of the following)
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!
plz read and check ...
cyaaaaaaa
---
This is an automatically generated Delivery Status Notification.
SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached
---
Account and Password Information are attached!
***** Go to: http://www.{random}.com
***** Email: {random}.com
---
Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison
*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000
---
Account and Password Information are attached! ---
The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more
Download is free until Jan, 2006!
Please use our Download manager.
Attachment: (any of the following)
*mailtext.zip
*mail.zip
*reg_pass.zip
*mail.zip
*reg_pass-data.zip
*question_list.zip
*list.zip
*downloadm
*mail_body.zip
The attached .ZIP file contains the copy of this worm using the following file name:
File-packed_dataInfo.exe
When executed, it displays a fake error message box in order to trick a user into thinking that the file did not properly execute.
This worm searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy (Beta) - 187 (Released)
Official Pattern Release - 2.957.00 (ETA: 1.5 hrs)
Damage Cleanup Template - 678 (Being created)
Network Virus Wall - 10232 (Being created)
Keep a lookout for updates to your AV program.
This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own ple Mail Transfer Protocol (SMTP) engine. Since it's email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.
The email it sends out has the following details:
From: {Email address generated by this worm}
Subject: (any of the following)
*ive_a_new_mail_address
*Mail delivery failed
*Registration Confirmation
*smtp mail failed
*Spam: Registration Confirmation
*Your Password
*Your IP was logged
*Paris_Hilton_&_Nicole_Richie
*You visit illegal websites
Message body: (any of the following)
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!
plz read and check ...
cyaaaaaaa
---
This is an automatically generated Delivery Status Notification.
SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached
---
Account and Password Information are attached!
***** Go to: http://www.{random}.com
***** Email: {random}.com
---
Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison
*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000
---
Account and Password Information are attached! ---
The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more
Download is free until Jan, 2006!
Please use our Download manager.
Attachment: (any of the following)
*mailtext.zip
*mail.zip
*reg_pass.zip
*mail.zip
*reg_pass-data.zip
*question_list.zip
*list.zip
*downloadm
*mail_body.zip
The attached .ZIP file contains the copy of this worm using the following file name:
File-packed_dataInfo.exe
When executed, it displays a fake error message box in order to trick a user into thinking that the file did not properly execute.
This worm searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy (Beta) - 187 (Released)
Official Pattern Release - 2.957.00 (ETA: 1.5 hrs)
Damage Cleanup Template - 678 (Being created)
Network Virus Wall - 10232 (Being created)
Keep a lookout for updates to your AV program.