And, it's a Sober worm in spite of all the beer brewed and consumed in Germany? Jim Weaver, K8JE, Director 5065 Bethany Rd., Mason, OH 45040 E-mail: k8je@arrl.org; Tel: 513-459-0142 ARRL Great Lakes Division ARRL, the Reason Amateur Radio is! Members, the Reason ARRL is! -----Original Message----- From: Andy Oppel [mailto:andy_oppel@earthlink.net] Sent: Tuesday, November 29, 2005 6:03 PM To: arrl-odv Subject: [arrl-odv:13356] Sober Worm Variant Spreading Quickly Be careful out there... the social engineering of the newest version of the Sober virus is trapping lots of people. Name: W32/Sober@MM!M681 <http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=13707 2> (McAfee) CME Entry: 681 <http://cme.mitre.org/data/list.html> Affects: Windows XP/XP SP2/2000/2003/NT/ME/98/95 What it does: The Sober outbreak that began two weeks ago got much worse last week for a few reasons, tops on the list being improved social engineering. Notice above that McAfee designates this worm currently as "W32/Sober@MM!M681". The original detection was with their generic "Sober.gen" signatures, but they renamed this one to reflect the fact that the outbreak has merited a CME entry <http://cme.mitre.org/data/list.html> . This is a classic mass-mailing worm, forging the From: header, so if you receive a copy of it don't believe that the address in the From: is the actual sender of the message. The message comes with an executable attachment and a message which entices the user to run the attachment. Below are some sample message contents, courtesy of McAfee (see their <http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=13707 2> writeup for more such examples). o Subject: You visit illegal web sites o Body: o Dear Sir/Madam, o we have logged your IP-address on more than 30 illegal web sites. o Important: o Please answer our questions! o The list of questions are attached. o Yours faithfully, o Steven Allison o ++++ Central Intelligence Agency -CIA- o ++++ Office of Public Affairs o ++++ Washington, D.C. 20505 o ++++ phone: (703) 482-0623 o ++++ 7:00 a.m. to 5:00 p.m., US Eastern time o Subject: You visit illegal web sites o Body: o Dear Sir/Madam, o we have logged your IP-address on more than 30 illegal web sites. o Important: o Please answer our questions! o The list of questions are attached. o Yours faithfully, o Steven Allison o *** Federal Bureau of Investigation -FBI- o *** 935 Pennsylvania Avenue, NW, Room 3220 o *** Washington, DC 20535 o *** phone: (202) 324-3000 o Body: o Glueckwunsch: Bei unserer EMail Auslosung hatten Sie und weitere neun Kandidaten Glueck. o Sie sitzen demnaechst bei Guenther Jauch im Studio! Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang. o +++ RTL interactive GmbH o +++ Geschaeftsfuehrung: Dr. Constantin Lange o +++ Am Coloneum 1 o +++ 50829 Koeln o +++ Fon: +49(0) 221-780 0 oder Yes, this being a Sober variant, there are German messages in it. How to avoid it: Install anti-virus software and keep it up to date. Don't open attachments that you don't expect, even those from people you know. How to remove it: McAfee's free Stinger tool <http://vil.nai.com/vil/stinger> can remove this infection. ========================================== Andy Oppel Principal Data Architect Systems Engineering Group Ceridian Corporation andy.oppel@ceridian.com (510) 864-2299 Voice (510) 910-1508 Cell ==========================================