Be careful out there... the social engineering of the newest version of the Sober virus is trapping lots of people.

Name: <http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=137072>W32/Sober@MM!M681 (McAfee) CME Entry: <http://cme.mitre.org/data/list.html>681 Affects: Windows XP/XP SP2/2000/2003/NT/ME/98/95 What it does: The Sober outbreak that began two weeks ago got much worse last week for a few reasons, tops on the list being improved social engineering. Notice above that McAfee designates this worm currently as "W32/Sober@MM!M681". The original detection was with their generic "Sober.gen" signatures, but they renamed this one to reflect the fact that the outbreak has merited <http://cme.mitre.org/data/list.html>a CME entry.

This is a classic mass-mailing worm, forging the From: header, so if you receive a copy of it don't believe that the address in the From: is the actual sender of the message. The message comes with an executable attachment and a message which entices the user to run the attachment. Below are some sample message contents, courtesy of McAfee (see <http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=137072>their writeup for more such examples). * Subject: You visit illegal web sites * Body: * Dear Sir/Madam, * we have logged your IP-address on more than 30 illegal web sites. * Important: * Please answer our questions! * The list of questions are attached. * Yours faithfully, * Steven Allison * ++++ Central Intelligence Agency -CIA- * ++++ Office of Public Affairs * ++++ Washington, D.C. 20505 * ++++ phone: (703) 482-0623 * ++++ 7:00 a.m. to 5:00 p.m., US Eastern time * Subject: You visit illegal web sites * Body: * Dear Sir/Madam, * we have logged your IP-address on more than 30 illegal web sites. * Important: * Please answer our questions! * The list of questions are attached.

* Yours faithfully, * Steven Allison * *** Federal Bureau of Investigation -FBI- * *** 935 Pennsylvania Avenue, NW, Room 3220 * *** Washington, DC 20535 * *** phone: (202) 324-3000 * Body: * Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck. * Sie sitzen demnaechst bei Guenther Jauch im Studio! Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang. * +++ RTL interactive GmbH * +++ Geschaeftsfuehrung: Dr. Constantin Lange * +++ Am Coloneum 1 * +++ 50829 Koeln * +++ Fon: +49(0) 221-780 0 oder

Yes, this being a Sober variant, there are German messages in it.

How to avoid it: Install anti-virus software and keep it up to date. Don't open attachments that you don't expect, even those from people you know.

How to remove it: <http://vil.nai.com/vil/stinger>McAfee's free Stinger tool can remove this infection.

========================================== Andy Oppel Principal Data Architect Systems Engineering Group Ceridian Corporation <mailto:andy.oppel@ceridian.com>andy.oppel@ceridian.com (510) 864-2299 Voice (510) 910-1508 Cell ==========================================