We have gotten several of these this morning so watch your mail from this one. Your virus filters may not catch it yet.
From Eweek:
New Sober Worm on the Loose By Dennis Fisher November 19, 2004 A new version of the Sober worm appeared on the Internet early Friday morning and already it is having quite a bit of success infecting users in Europe through the use of social engineering.
Sober.J arrives in an e-mail message that appears to be a returned-mail error message, telling the user that an e-mail sent earlier has bounced. The message typically contains a .zip, .bat, .com, .scr or .pif attachment and a body text that is some variation on the following:
This mail was generated automatically.More info about --YAHOO-- under: http://www.yahoo.com------- Occured_Errors:178.218.194.86_ does_not_like_recipient.# 185: MAILBOX NOT FOUND# 144: Giving_up_on_178.218.194.86.# 533: This_account_has_been_discontinued_ [#413].End------- The original mail is attached.Auto_Mail.System: [yahoo]
The subject line of the e-mail message varies, but often indicates that the message is a warning about a bounced e-mail, such as:
When the recipient opens the attachment, the worm displays a fake error message saying that a portion of the WinZip software is missing. The worm then copies itself to the Windows System folder in two separate locations, using filenames that it constructs dynamically from a small set of common strings, including sys, spool, crypt, host, dir, service, win, run, 32, data, and a few others, according to an analysis by McAfee Inc., based in Santa Clara, Calif. The filename always ends in "exe."
Sober.J then creates several registry keys to ensure it will be run on startup and searches for e-mail addresses on the infected machine. It then begins mailing itself to all of the addresses it finds.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
Login using the form on the top of the page to post feedback (if you are a registered user). If you have not yet registered, click here to do so. It's FREE!.
