** Heads up**W32.Sober.O@mm

***Und3ertak3r*** · May 2nd, 2005, 11:43 PM

Hi Guys,

I havent posted these warnings for quiet some time.. decided to with this one..

It uses one of the common SE tricks.. The copies I have recieved dont exacxtly fit the descriptions on Symantec..

SOBER.O is the threat
Current status @ 22:25 May 2nd 2005: Cat 3
High distribution capability
High Incedence in the Wild
Low Damage

AV info HERE

W32.Sober.O@mm is a mass-mailing worm that sends itself as an email attachment to addresses gathered from the compromised computer. It uses its own SMTP engine to spread. The email may be in either English or German.

My personal warning.
Reject/delete/ignore any mail delivery messages that dont come from your own ISP.. and treat with extreem caution any that come from your own ISP.. You should be aware of the format of the error messages from your own Mail server..in other words.. treat even messages from your own server with caution..

the following are the headers of a pair I decided to play with this morning..

Return-Path: <postmaster@technet2000.com.au>
Received: from munpd.au ([203.51.244.36]) by imta05ps.mx.bigpond.com
with SMTP
id <20050502210520.FQPM122.imta05ps.mx.bigpond.com@munpd.au>;
Mon, 2 May 2005 21:05:20 +0000
From: postmaster@technet2000.com.au
To: burrowscomputers@bigpond.com
Date: Mon, 02 May 2005 20:59:47 GMT
Subject: FwD: Your email was blocked
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <4947b4c95.c1d377d3@bigpond.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===e1b574b4fde57b.e561415f"
Content-Transfer-Encoding: 7bit

This is a multi-part message in MIME format.

Return-Path: <Admin@computerguru.com.au>
Received: from carxllydj.au ([203.51.244.36]) by imta02sl.mx.bigpond.com
with SMTP
id <20050502163608.RYKC17375.imta02sl.mx.bigpond.com@carxllydj.au>;
Mon, 2 May 2005 16:36:08 +0000
From: Admin@computerguru.com.au
To: freemail@bigpond.net.au
Date: Mon, 02 May 2005 16:30:08 GMT
Subject: FwD: Your email was blocked
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <ecad8a8280c9a75d2cc3@computerguru.com.au>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===0aa51d5309dad.08ca4dcece"
Content-Transfer-Encoding: 7bit

This is a multi-part message in MIME format.

ok just got this from Trend:

As of May 2, 2005, 11:50 AM (Pacific Daylight Time/GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.S.
TrendLabs has received numerous infection reports indicating that this malware is spreading in Germany and the U.S.A.

This worm spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers its target recipients from files with certain extensions names. Notably, it avoids sending messages to addresses that contain specific strings.
Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they have won tickets for the upcoming FIFA World Cup 2006 in Germany.

The email it sends out has the following details:

From: (any of the following)
. Admin
. hostmaster
. info
. postmaster
. register
. service
. webmaster

Subject: (any of the following German subjects) . Glueckwunsch: Ihr WM Ticket . Ich bin's, was zum lachen

. Ihr Passwort . Ihre E-Mail wurde verweigert . Mail-Fehler!* . WM Ticket Verlosung*WM-Ticket-Auslosung

(or any of the following English subjects) . Re:
. Your Password
. Registration Confirmation
. Your email was blocked
. mailing error

Message body: (any of the following)

. Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
*-* http://www.
*-* MailTo: PasswordHelp

. Diese E-Mail wurde automatisch erzeugt Mehr Information finden Sie unter http://www.

. Folgende Fehler sind aufgetreten:

. Fehler konnte nicht Explicit ermittelt werden

. End Transmission

. Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden. Wir bitten Sie, dieses zu beruecksichtigen.

. Auto ReMailer# [

. Nun sieh dir das mal an!
Was ein Ferkel ....

. Herzlichen Glueckwunsch,
--- FIFA-Pressekontakt:
ok ok ok,,,,, here is it
r die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
ok2006
Team
St. Rainer Gellhaus
error-
--- Pressesprecher Jens Grittner und Gerd Graus
--- FIFA Fussball-Weltmeisterschaft 2006
--- Organisationskomitee Deutschland
--- Tel. 069 / 2006 - 2600
--- Jens.Grittner@ok2006.de
--- Gerd.Graus@ok2006.de

. Account and Password Information are attached!
Visit: http://www.

. AntiVirus Service
**** WebSite: .

Attachment: (any of the following)
. mail_info.zip
. okTicket-info.zip
. LOL.zip
. _PassWort-Info.zip
. autoemail-text.zip

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 171
Official Pattern Release 2.611.00
Damage Cleanup Template 588

For more information on WORM_SOBER.S, you can visit our Web site at:
http://www.trendmicro.com/vinfo/viru...e=WORM_SOBER.S

You can modify subscription settings for Trend Micro newsletters at:
http://www.trendmicro.com/subscriptions/default.asp

Thread: Heads upW32.Sober.O@mm

Thread Tools

Display