Be careful out there... the social engineering of the newest version of the Sober virus is trapping lots of people.

Name: W32/Sober@MM!M681 (McAfee)
CME Entry: 681
Affects: Windows XP/XP SP2/2000/2003/NT/ME/98/95
What it does: The Sober outbreak that began two weeks ago got much worse last week for a few reasons, tops on the list being improved social engineering. Notice above that McAfee designates this worm currently as "W32/Sober@MM!M681". The original detection was with their generic "Sober.gen" signatures, but they renamed this one to reflect the fact that the outbreak has merited a CME entry.

This is a classic mass-mailing worm, forging the From: header, so if you receive a copy of it don't believe that the address in the From: is the actual sender of the message. The message comes with an executable attachment and a message which entices the user to run the attachment. Below are some sample message contents, courtesy of McAfee (see their writeup for more such examples).

• Subject: You visit illegal web sites
• Body:
• Dear Sir/Madam,
  
• we have logged your IP-address on more than 30 illegal web sites.
  
• Important:
• Please answer our questions!
• The list of questions are attached.
• Yours faithfully,
• Steven Allison
  
• ++++ Central Intelligence Agency -CIA-
• ++++ Office of Public Affairs
• ++++ Washington, D.C. 20505
  
• ++++ phone: (703) 482-0623
• ++++ 7:00 a.m. to 5:00 p.m., US Eastern time
• Subject: You visit illegal web sites
• Body:
• Dear Sir/Madam,
  
• we have logged your IP-address on more than 30 illegal web sites.
  
• Important:
• Please answer our questions!
• The list of questions are attached.
  
  
• Yours faithfully,
• Steven Allison
  
• *** Federal Bureau of Investigation -FBI-
• *** 935 Pennsylvania Avenue, NW, Room 3220
• *** Washington, DC 20535
• *** phone: (202) 324-3000
• Body:
• Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck.
• Sie sitzen demnaechst bei Guenther Jauch im Studio! Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
• +++ RTL interactive GmbH
• +++ Geschaeftsfuehrung: Dr. Constantin Lange
• +++ Am Coloneum 1
• +++ 50829 Koeln
• +++ Fon: +49(0) 221-780 0 oder

Yes, this being a Sober variant, there are German messages in it.

How to avoid it: Install anti-virus software and keep it up to date. Don't open attachments that you don't expect, even those from people you know.

How to remove it: McAfee's free Stinger tool can remove this infection.

==========================================
Andy Oppel
Principal Data Architect
Systems Engineering Group
Ceridian Corporation
andy.oppel@ceridian.com
(510) 864-2299   Voice
(510) 910-1508    Cell
==========================================