Page 1 of 1

New WORM!!! Everyone Read this! W32.Sober.I.@mm

PostPosted: Fri Nov 19, 2004 1:31 pm
by Mithrandir
Just got this today. If you get something like this, delete it!


W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the infected computer. The subject of the email varies and will be in either English or German. The email sender address is spoofed. The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. The attachment may also have a double extension. This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX.

From: (Spoofed) It can be an email address found on the infected computer or may be in the form of [fake sender name]@[recipient's domain], where fake sender name is one of the following:

Info
FehlerMail
Webmaster
ReMailer
Lisa
Peter
Michael
Thomas
Elke
Susi
Nadine
Benutzer-Daten
Information
Service
Hilfe
Webmaster
Hostmaster
Postmaster
User-Info


Subject: (May be one of the following with FwD: as prefix)

hi there
hey dude!
wazzup!!!
yeah dude :P
Details
Oh God it's
d**m!
#
Registration confirmation
Confirmation
Your Password
Your mail account
Delivery failure notice
Faulty mail delivery
Mail delivery failed
Mailing Error
Illegal signs in E-Mail
Invalid mail length
Mail Delivery failure
mail delivery status
Warning!
error in dbase
DBase Error
ups, i've got your mail
Sorry, that's your mail
why do you do that?
Life's a b***h
Smiling Like a Killer
lol,wat'nlosey?
Informationvon
FalscheMailzustellung
FehlerinIhrerE-Mail
IhreE-Mailwarfehlerhaft
ESMTPError
UngültigeVariableninihrerE-Mail
Verbindungwurdegetrennt
Mail_Fehler
IhrneuerAccount
NeueAccountDaten
Siehabennichtgezahlt
Rechnung
Hi,seivorsichtig!
Achtung!gefährlicherVirus!
Schongehört?
DieTools!
DeinZeug's!
Hierfürdich^^
BestellungsBestätigung
Lieferungs-Bestätigung
Ok,hieristmein
Ichhabemichindichv


Body: (May be composed of some of the following text)

++++ User-Service: http://www. domain>
++++ MailTo: postmaster@<sender's domain>

Your password was changed successfully.

Protected message is attached.


This account_hast_been_disabled.

_failed_after_I_sent_the_message.

PostPosted: Fri Nov 19, 2004 6:18 pm
by Sephiroth
thanks for lettin us know

PostPosted: Fri Nov 19, 2004 8:36 pm
by BigZam
i don't have much to worry about cuz i've got a suspect email filter, but thanks.

PostPosted: Fri Nov 19, 2004 9:10 pm
by agasfas
good thing I delete about 99.9% of my emails. It it's bigger than 10kbs, in the trash you go :P

PostPosted: Fri Nov 19, 2004 9:24 pm
by TheMelodyMaker
This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX.

That's the part I find most interesting. That tells me that someone using Windows 95/98 that doesn't have the Visual Basic runtime installed may be safe from the worm -- unless the worm somehow has a way of installing the runtime first before doing its thing. (I think that Windows ME/XP come with it already installed, though.)

Edit: I had version 6 in mind, but I never thought until now that it could be another version (earlier or later).

PostPosted: Sat Nov 20, 2004 8:54 am
by Mithrandir
I've been out of the windows programming loop too long. My last major app was for 98 (an ai game).

It must be said, though, that anyone with a sufficiently out-of-date computer never has to worry about ANY viruses.

;)