And, it’s a Sober worm in spite of all the beer brewed and consumed in Germany?

 

-----Original Message-----
From: Andy Oppel [mailto:andy_oppel@earthlink.net]
Sent: Tuesday, November 29, 2005 6:03 PM
To: arrl-odv
Subject: [arrl-odv:13356] Sober Worm Variant Spreading Quickly

 

Be careful out there... the social engineering of the newest version of the Sober virus is trapping lots of people.

Name: W32/Sober@MM!M681 (McAfee)
CME Entry: 681
Affects: Windows XP/XP SP2/2000/2003/NT/ME/98/95
What it does: The Sober outbreak that began two weeks ago got much worse last week for a few reasons, tops on the list being improved social engineering. Notice above that McAfee designates this worm currently as "W32/Sober@MM!M681". The original detection was with their generic "Sober.gen" signatures, but they renamed this one to reflect the fact that the outbreak has merited a CME entry.

This is a classic mass-mailing worm, forging the From: header, so if you receive a copy of it don't believe that the address in the From: is the actual sender of the message. The message comes with an executable attachment and a message which entices the user to run the attachment. Below are some sample message contents, courtesy of McAfee (see their writeup for more such examples).

o       Subject: You visit illegal web sites

o       Body:

o       Dear Sir/Madam,

o       we have logged your IP-address on more than 30 illegal web sites.

o       Important:

o       Please answer our questions!

o       The list of questions are attached.

o       Yours faithfully,

o       Steven Allison

o       ++++ Central Intelligence Agency -CIA-

o       ++++ Office of Public Affairs

o       ++++ Washington, D.C. 20505

o       ++++ phone: (703) 482-0623

o       ++++ 7:00 a.m. to 5:00 p.m., US Eastern time

o       Subject: You visit illegal web sites

o       Body:

o       Dear Sir/Madam,

o       we have logged your IP-address on more than 30 illegal web sites.

o       Important:

o       Please answer our questions!

o       The list of questions are attached.

o       Yours faithfully,

o       Steven Allison

o       *** Federal Bureau of Investigation -FBI-

o       *** 935 Pennsylvania Avenue, NW, Room 3220

o       *** Washington, DC 20535

o       *** phone: (202) 324-3000

o       Body:

o       Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck.

o       Sie sitzen demnaechst bei Guenther Jauch im Studio! Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.

o       +++ RTL interactive GmbH

o       +++ Geschaeftsfuehrung: Dr. Constantin Lange

o       +++ Am Coloneum 1

o       +++ 50829 Koeln

o       +++ Fon: +49(0) 221-780 0 oder

Yes, this being a Sober variant, there are German messages in it.

How to avoid it: Install anti-virus software and keep it up to date. Don't open attachments that you don't expect, even those from people you know.

How to remove it: McAfee's free Stinger tool can remove this infection.

==========================================
Andy Oppel
Principal Data Architect
Systems Engineering Group
Ceridian Corporation
andy.oppel@ceridian.com
(510) 864-2299   Voice
(510) 910-1508    Cell
==========================================