Posted 11/24/05 W32.Sober.X@mm is a mass-mailing worm that uses its own SMTP engine to spread and lowers security settings. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German.
Type: E-mail virus included in an attachment.
From: Will be a spoofed address.
Subject: One of the following:
Your Password
Registration Confirmation
smtp mail failed
Mail delivery failed
hi, ive a new mail address
You visit illegal websites
Your IP was logged
Paris Hilton & Nicole Richie
Body Text: (One of the following)
Account and Password Information are attached!
Protected message is attached!
=====dHSd9SZd;99zZ((EEEA
=====dw1W)6ZdzSL91WR
***** Go to: [http://]www.[DOMAIN NAME OF SENDER]
***** Email: postman
This is an automatically generated Delivery
Status Notification.
SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached!
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not
sure!
plz read and check ...
cyaaaaaaa
Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.lease answer
our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison
Department Office Admin Mail Post
===dkX XbW6dxPbXWPdSDd@R2XL9)CW9)SRd?kx@?
===dt4OduXRRL062WR)Wd.2XRPX,dKa,dnSS1d4vvy
*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505
++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time
The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more
;)
Download is free until Jan, 2006!
Please use our Download manager.
Attachments: One of the following:
reg_pass.zip
reg_pass-data.zip
mail.zip
mail_body.zip
mailtext.zip
list[RANDOM CHARACTERS].zip
question_list[RANDOM CHARACTERS].zip
downloadm.zip
If you receive such an e-mail and attachment, ASW recommends not to open the attachment and delete the e-mail. If you have opened the attachment and have the virus, suspend all e-mail activity. ASW customers may contact us at 829-7241 for help.
For those of you who have anti-virus software, please make sure your virus software definition files are up to date as of TODAY!
DO NOT OPEN UNKNOWN ATTACHMENTS IN E-MAIL, EVEN IF YOU KNOW WHO IT'S FROM! Please read the ASW virus information at the bottom of this page.
ASW Virus Information
Most all computer viruses come as e-mail attachments. Also, anything that may have 2 extensions, (e.g. mypicture.bmp.vbs) which may appear to be a bitmap picture, more than likely will contain a visual basic script virus. You can also get a virus by downloading and installing a shareware program from outside a reputable site or from a floppy disk given to you by someone.
At this time, ASW recommends not opening any un-known e-mail attachments, or any attachments that you do not know what it is or who it is from, and to delete that e-mail. When sending an attachment, we recommend that the person receiving it knows exactly what your sending by including information about it in the e-mail. Avoid sending attachments you receive that you are not sure of the content.
Following is a partial list of file types that should be considered suspicious when received in e-mail and should not be opened unless you requested or expected the attachment:
ADE Microsoft Access Project Extension
ADP Microsoft Access Project
BAS Visual Basic Class Module
BAT Batch File
CHM Compiled HTML Help File
CMD Windows NT Command Script
COM MS-DOS Application
CPL Control Panel Extension
CRT Security Certificate
DLL Dynamic Link Library
DO* Word Documents and Templates
EXE Application
HLP Windows Help File
HTA HTML Applications
INF Setup Information File
INS Internet Communication Settings
ISP Internet Communication Settings
JS JScript File
JSE JScript Encoded Script File
LNK Shortcut
MDB Microsoft Access Application
MDE Microsoft Access MDE Database
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST Visual Test Source File
OCX ActiveX Objects
PCD Photo CD Image
PIF Shortcut to MS-DOS Program
POT PowerPoint Templates
PPT PowerPoint Files
REG Registration Entries
SCR Screen Saver
SCT Windows Script Component
SHB Document Shortcut File
SHS Shell Scrap Object
SYS System Config/Driver
URL Internet Shortcut (Uniform Resource Locator)
VB VBScript File
VBE VBScript Encoded Script File
VBS VBScript Script File
WSC Windows Script Component
WSF Windows Script File
WSH Windows Scripting Host Settings File
XL* Excel Files and Templates
ZIP Compressed File
It is also highly recommended that Windows users keep up to date on Critical Security Updates to reduce vulnerability from such a virus automatically executing itself even if you do not open the attachment. More information on Critical Security Updates, and using the Windows Update feature is provided on the appropriate ASW Windows Update pages for Windows 98, ME and XP.
Viruses and worms also spread through file-sharing networks such as KaZaA and through IRC. ASW does not condone or recommend the use of such file-sharing networks or IRC.
Following these simple recommendations will greatly decrease your chances of getting a virus. For those who prefer using anti-virus software, ASW recommends that any anti-virus software be installed by a qualified person who can properly install such software. Installing anti-virus software incorrectly can cause your computer system to experience poor performance and system errors. ASW customers may contact us for our recommendations or to schedule anti-virus software installation.