Warning, Warning, Danger Will Rogers!

Wiz Feinberg · Post by **Wiz Feinberg** » 22 Nov 2005 12:49 pm

<h3>Trend Micro Medium Risk Virus Alert - WORM_SOBER.AG</h3>

Dear Trend Micro customer,

As of November 21, 2005 2:20 PM Pacific Standard Time (PST, GMT -8:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.AG. TrendLabs has received several infection reports indicating that this malware is spreading in the USA, Belgium, Canada, Brazil, and New Zealand.

This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since it's email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.

The email it sends out has the following details:

From: {Email address generated by this worm}

Subject: (any of the following)
hi,_ive_a_new_mail_address
Mail delivery failed
Registration Confirmation
smtp mail failed
Spam: Registration Confirmation
Your Password
Your IP was logged
Paris_Hilton_&_Nicole_Richie
You visit illegal websites

Message body: (any of the following)
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!
plz read and check ...
cyaaaaaaa

---

This is an automatically generated Delivery Status Notification.

SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached

---

Account and Password Information are attached!
***** Go to: [url=http://www.{random}.com]http://www.{random}.com[/url]
***** Email: {random}.com

---

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

---

Account and Password Information are attached! ---

The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more

Download is free until Jan, 2006!
Please use our Download manager.

Attachment: (any of the following)
mailtext.zip
mail.zip
reg_pass.zip
mail.zip
reg_pass-data.zip
question_list.zip
list.zip
downloadm
mail_body.zip

The attached .ZIP file contains the copy of this worm using the following file name:
File-packed_dataInfo.exe

When executed, it displays a fake error message box in order to trick a user into thinking that the file did not properly execute.

This worm searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy (Beta) - 187 (Released)
Official Pattern Release - 2.957.00 (ETA: 1.5 hrs)
Damage Cleanup Template - 678 (Being created)
Network Virus Wall - 10232 (Being created)

For more information on WORM_SOBER.AG, you can visit our Web site at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.AG

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services

Jon Light (deceased) · Post by **Jon Light (deceased)** » 22 Nov 2005 12:58 pm

I have received two of the above mentioned forms of mail--the FBI one and the " Mail delivery failed" one. My AVG caught them both. I think? I mean, it said it did. Can I trust that the notification that it intercepted the worms and locked them in the virus vault mean that that is the end of that? Or is there a further deception involved?

Wiz Feinberg · Post by **Wiz Feinberg** » 22 Nov 2005 1:03 pm

Jon Light asked: <BLOCKQUOTE>quote:<HR>
I have received two of the above mentioned forms of mail--the FBI one and the " Mail delivery failed" one. My AVG caught them both. I think? I mean, it said it did. Can I trust that the notification that it intercepted the worms and locked them in the virus vault mean that that is the end of that? Or is there a further deception involved?
<HR></BLOCKQUOTE>
When AVG places an email attachment in the vault it could still exist in your inbox as Base64 code inside the email. If there is any remnant of those emails delete them manually, then empty the deleted items folder in Outlook Express. I would also advise you to run a full scan of your hard drives, just in case.

You can delete the quarantined threats from the vault as well, since you know what they are, and that they are hostile. it makes no sense to keep them around.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services

[This message was edited by Wiz Feinberg on 22 November 2005 at 01:05 PM.]

Jon Light (deceased) · Post by **Jon Light (deceased)** » 22 Nov 2005 1:06 pm

Thanks. I had already done all the above. Guess I'm ok.

Jack Stoner · Post by **Jack Stoner** » 22 Nov 2005 2:49 pm

I've had a bunch of them today. Thankfully EZ Armour has caught all of them. Obviously someone that has my e-mail address is infected but, I don't think you can ever find out who.

ray qualls · Post by **ray qualls** » 22 Nov 2005 3:09 pm

I've had about 30 of them today. My ISP caught them all. I'm on Sprint DSL. Also, I have Avast and it caught 3 or 4 this morning. I'll supply the rope if any of you catches them.

------------------
Ray Qualls
President(KSGA) www.rayqualls.com

Barry Blackwood · Post by **Barry Blackwood** » 22 Nov 2005 4:01 pm

Danger Will ROBINSON ....

Charley Adair · Post by **Charley Adair** » 22 Nov 2005 4:11 pm

I have had at least 30 of these sent to me since yesterday, but my providor has intercepted them and deleted them. They send me an email telling me I was sent a virus.

------------------
Sho-Bud PRO-I, 4&5

erik · Post by **erik** » 22 Nov 2005 6:12 pm

Danger Will ROBINSON ....

Yep, I've got the first two seasons on DVD.

------------------
-johnson

Wiz Feinberg · Post by **Wiz Feinberg** » 22 Nov 2005 6:28 pm

Danger Will ROBINSON ....

Oops! Sorry 'bout that y'all.

Dave Van Allen · Post by **Dave Van Allen** » 22 Nov 2005 9:02 pm

yeah, it's a little late to warn Will Rogers not to get on that plane...

Bobby D. Hunter · Post by **Bobby D. Hunter** » 22 Nov 2005 9:40 pm

SGF members. Please read the first post in this topic where the moderator posted details about the names of the infected files, the subjects and other information that will help you identify that emails fitting this description contain viruses in the attached files. Please do not forward emails containing viruses to me for analysis. I am interested in tracking down Slimeballs who try to scam you, but these messages are auto-generated by self-replicating Sober Worms, not by Nigerians or Chinese spammers.

The Sober.AG Worm originated in Germany and is the most widespread Worm in the Wild today. Your best procedure is to have a very dependable anti virus tool, like Avast, or Kaspersky (KAV), that is updated frequently (daily or hourly), and is able to remove infected attachments as they arrive in your inbox (Outlook or Outlook Express). If your antivirus product is not detecting emails meeting these descriptions (see top post) as containing the Sober Worm, trash it and get something that really works. I trashed AVG after it failed to detect the Sober Worm a month ago. KAV and Avast identified it instantly. NAV is too slow on updates to be considered a serious AV tool, and uses Internet Explorer's rendering engine for it's interface.

------------------
Bobby D. Hunter
Security for SGF
Hunting down Slimeball Game
Reporting member of SpamCop

Wiz Feinberg · Post by **Wiz Feinberg** » 22 Nov 2005 10:14 pm

<h2>Zombies Boost New Sober Variant</h2>

Anti-virus and e-mail security companies warned Internet users Tuesday about a new variant of the Sober worm that was flooding e-mail servers around the world, with help from zombie machines infected by earlier editions of the same worm.

Sober.AG is the latest in a long line of mass e-mail worms.

It appeared Monday, after machines infected with older variants began spamming out the new version in a massive e-mail flood.

The e-mail messages use a variety of subterfuges to trick recipients into opening the virus attachment, including messages that pretend to come from the FBI and CIA, security firms said Tuesday.

E-mail security vendor MessageLabs of New York City said it blocked more than 2.7 million e-mail messages with the new Sober variant since around 7 p.m. GMT on Monday in what it called a "major offensive."

Symantec Corp. rated the worm, which it dubbed "Sober.X," a "Level 3" threat on a scale of one to five.

Sober worms are nothing new, but the latest variant is much more widely distributed than other recent versions because it is being sent out, simultaneously, from countless other Sober-infected machines, or "bots," said Symantec.

The new worm also uses a variety of enticing messages, in both German and English, to trick users.

Messages that appear to come from the FBI or CIA tell users that their IP address has been logged on "more than 30 illegal Websites," and asks them to open an attached file containing a "list of questions."

Other e-mail campaigns containing the Sober.AG worm promise recipients a glimpse of videos of jet-setters Paris Hilton and Nicole Richie if they open the file, according to an e-mail alert from Computer Associates International Inc.

The FBI issued a statement Tuesday warning the public to avoid falling for the scam.

Anti-virus vendors advised customers to update their anti-virus signatures and to be wary of scam e-mail messages.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services

[This message was edited by Wiz Feinberg on 22 November 2005 at 10:15 PM.]

Wiz Feinberg · Post by **Wiz Feinberg** » 23 Nov 2005 6:10 am

Here are some more details about how the Sober Worm functions, taken from SARC.

W32.Sober.X@mm (Sober.AG) is a mass-mailing worm that uses its own SMTP engine to spread and lowers security settings. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German.

Discovered on: November 19, 2005

Also Known As: CME-681, WORM_SOBER.AG [Trend Micro], W32/Sober-{X, Z} [Sophos], Win32.Sober.W [Computer Associates], Sober.Y [F-Secure], W32/Sober@MM!M681 [McAfee]

Type: Worm
Infection Length: 55,390 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Mass-mailing of emails may cause system instability.

Compromises security settings: Overwrites the file luall.exe with a copy of itself so that the worm will run each time LiveUpdated is launched.

Name of attachment: Zip file name Varies, but will contain the following file: File-packed_dataInfo.exe

There are many more details about the nature of the infection and a link to a Symantec Removal Tool available at: http://www.symantec.com/avcenter/venc/data/w32.sober.x@mm.html

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services

[This message was edited by Wiz Feinberg on 23 November 2005 at 06:11 AM.]

b0b · Post by **b0b** » 23 Nov 2005 7:54 am

Yeah, this one showed up twice in my company email yesterday. Then for about an hour the IT department said they were having "trouble with the domain controller". I don't know if the two events are related, but our network is usually very reliable.

Once the network was back up, they issued a warning about this virus.

btw, isn't it 'Danger, Will Robinson'?

------------------
<img align=left src="http://b0b.com/b0bxicon.gif" border="0"> Bobby Lee
-b0b- quasar@b0b.com 
System Administrator 
My Blog

Wiz Feinberg · Post by **Wiz Feinberg** » 23 Nov 2005 9:19 am

b0b asked; <BLOCKQUOTE>quote:<HR>
btw, isn't it 'Danger, Will Robinson'?
<HR></BLOCKQUOTE>
Of course it is. I forgot when I posted the topic. I will never live this down. I repent in dust and ashes.

Ernie Renn · Post by **Ernie Renn** » 23 Nov 2005 10:57 am

Here I thought you were making a joke. Danger, Will Rogers' son...

Everybody should take a few minutes and update their virus protection programs. In fact do it today and again in a day or so. In case it's been updated again.

------------------
My best,
Ernie

www.buddyemmons.com

Ray Minich · Post by **Ray Minich** » 28 Nov 2005 8:10 am

Looks like Dr. Smith has been up to his usual antics. Wiz, yer just showin' your "experience" even knowing about Will Rogers

[This message was edited by Ray Minich on 28 November 2005 at 08:12 AM.]

Lawrence Lupkin · Post by **Lawrence Lupkin** » 28 Nov 2005 1:32 pm

I received quite a few of these in my Hotmail Junk folder which I erased. One made it through to my regular inbox which I accidentally opened without clicking any links. Have I exposed myself to anything?

Wiz Feinberg · Post by **Wiz Feinberg** » 28 Nov 2005 9:26 pm

Lawrence asked; <BLOCKQUOTE>quote:<HR>
I received quite a few of these in my Hotmail Junk folder which I erased. One made it through to my regular inbox which I accidentally opened without clicking any links. Have I exposed myself to anything?
<HR></BLOCKQUOTE>
No, not unless you also double-clicked on the .exe file inside the zipfile attachment.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services

Lawrence Lupkin · Post by **Lawrence Lupkin** » 29 Nov 2005 6:39 am

Whew. Thanks Wiz!