Sober O Alert

Hi All,

Sober O appears to be spreading.

Info at http://www.sarc.com/avcenter/venc/data/w32.sober.o@mm.html

Cheers

Jlo

 

Trend Micro Medium Risk Virus Alert - WORM_SOBER.S

Dear Trend Micro customer,

As of May 2, 2005, 11:50 AM (Pacific Daylight Time/GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.S. TrendLabs has received numerous infection reports indicating that this malware is spreading in Germany and the U.S.A.

This worm spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers its target recipients from files with certain extensions names. Notably, it avoids sending messages to addresses that contain specific strings. Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they have won tickets for the upcoming FIFA World Cup 2006 in Germany.

The email it sends out has the following details:

From: (any of the following)
. Admin
. hostmaster
. info
. postmaster
. register
. service
. webmaster

Subject: (any of the following German subjects)
. Glueckwunsch: Ihr WM Ticket
. Ich bin's, was zum lachen
. Ihr Passwort
. Ihre E-Mail wurde verweigert
. Mail-Fehler!*
. WM Ticket Verlosung*WM-Ticket-Auslosung

(or any of the following English subjects)
. Re:
. Your Password
. Registration Confirmation
. Your email was blocked
. mailing error

Message body: (any of the following)

. Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
*-* http://www.
*-* MailTo: PasswordHelp

. Diese E-Mail wurde automatisch erzeugt
Mehr Information finden Sie unter http://www.

. Folgende Fehler sind aufgetreten:

. Fehler konnte nicht Explicit ermittelt werden

. End Transmission

. Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden. Wir bitten Sie, dieses zu beruecksichtigen.

. Auto ReMailer# [

. Nun sieh dir das mal an!
Was ein Ferkel ....

. Herzlichen Glueckwunsch,
--- FIFA-Pressekontakt:
ok ok ok,,,,, here is it
r die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
ok2006
Team
St. Rainer Gellhaus
error-
--- Pressesprecher Jens Grittner und Gerd Graus
--- FIFA Fussball-Weltmeisterschaft 2006
--- Organisationskomitee Deutschland
--- Tel. 069 / 2006 - 2600
--- Jens.Grittner@ok2006.de
--- Gerd.Graus@ok2006.de

. Account and Password Information are attached!
Visit: http://www.

. AntiVirus Service
**** WebSite: .

Attachment: (any of the following)
. mail_info.zip
. okTicket-info.zip
. LOL.zip
. _PassWort-Info.zip
. autoemail-text.zip


TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 171
Official Pattern Release 2.611.00
Damage Cleanup Template 588


For more information on WORM_SOBER.S, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.S

 

Panda: Sober.V give tickets for the FIFA World Cup

- New worm Sober.V give tickets for the FIFA World Cup 2006 in Germany
for free to cheat users with social engineering techniques -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)​

MADRID, May 3, 2005- The new variant V of the worm Sober (Sober.V) has begun spreading and infecting several computers from US, Germany, Austria and Switzerland. It is supposedly sent by the soccer organization FIFA and give users tickets for the FIFA World Cup 2006 in Germany for free. This new worm distributes itself by its own SMTP engine in English or in German, choosing the language depending on the domain and the country in which it will be distributed. Sober.V sends itself out to all the addresses it has gathered from the infected computer.

This new worm, which is using the social engineering to cheat users, comes from a random address choose between one of the followings: Admin, Hostmaster, Info, Postmaster, Register, Service o Webmaster. Furthermore, Sober.V avoids sending messages to addresses containing some strings in its domain. The subject can be one of the followings:

Glueckwunsch: Ihr WM Ticket mailing error
Ich bin's, was zum lachen Re:
Ihr Passwort Registration Confirmation
WM Ticket Verlosung Your email was blocked
WM-Ticket-Auslosung Your Password


Panda Software's clients can already access the updates for installing the new TruPrevent(tm) Technologies along with their antivirus protection, providing a preventive layer of protection against new malware. For users with a different antivirus program installed, Panda TruPrevent(tm) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection..

In order to help as many users as possible scan and disinfect their computers, Panda Software offers Panda ActiveScan, free of charge, at http://www.pandasoftware.com. ActiveScan is also available to webmasters that want to include it on their websites. Those who would like to include it on their sites can request the HTML code from http://www.pandasoftware.com/partners/webmasters/

For further information about this and other malicious code, visit Panda Software's Virus Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/.

 

Re: Panda: Sober.V give tickets for the FIFA World Cup

Maybe Panda reads here post's or wtf?!
https://www.wilderssecurity.com/showpost.php?p=448156&postcount=8

 

Re: Panda: Sober.V give tickets for the FIFA World Cup

Maybe the Devil made them do it

http://www.dslreports.com/forum/remark,13312109~start=0#13317324

But it is not the first time something like this has happened.

Can you name the one used in 2002 and 1998 ?


Virus Writers Slapped With Red Card
By Tim Gray


One of the biggest sporting events in the world may be more than a year away, but the games have already begun on the Internet.

It seems scammers are gearing up for the June 2006 multi-national soccer event, to be held in Germany, by sending out millions of virus-carrying e-mails advertising ticket confirmations for the matches.

World Cup organizers are trying to get the word to prospective fans that the messages are actually carrying a nasty payload and should be ignored.

The messages appear in recipients' inboxes as originating from the Fédération Internationale de Football (FIFA). The worm, a variant of the Sober virus, then harvests e-mail addresses from the victim and launches a barrage of spam to the acquired addresses, according to anti-virus firm McAfee (Quote, Chart).

Security firm Trend Micro (Quote, Chart) has included the virus in its "red alert" category, while McAfee said the social engineering gambit posed a "medium risk" to Internet users.

Panda Software said on its Web site that the virus was spreading in English and German, and had already hit computers in Austria, Germany, Switzerland and the United States.

Fans receiving e-mails from Ticket@fifa.de and Gewinn@fifa.de should not open the attachments.

A total of 2.93 million tickets to the quadrennial event will be sold to the general public in five stages, according to the FIFA Web site. The huge number of tickets likely makes the event a prime target for these scams.

More than 800,000 tickets have already been sold during the first stage and Tuesday marked the beginning of stage two.

The virus marks the third time in the last three World Cups where scammers have successfully launched a virus directed at fans.

In 2002 a virus masqueraded as onscreen scores and in 1998, a virus was hidden in a fake contest that asked recipients who they thought would win the tournament.
http://www.internetnews.com/security/article.php/3502216

 

VSAntivirus: "W32/Sober.O. It sends messages in English or German"
English Transl: http://babelfish.altavista.com/babe...&trurl=http://www.vsantivirus.com/sober-o.htm
Spanish Link: http://www.vsantivirus.com/sober-o.htm
Name: W32/Sober.O
Name NOD32: Win32/Sober.O
Type: Worm of Internet
Alias: Sober.O, Sober.P, Email-Worm.Win32.Sober.p, I-Worm/Sober.P, Sober.O@mm, W32.Sober.O@mm, W32/Sober.p@MM, W32/Sober.p@MM!zip, W32/Sober.V.worm, W32/Sober-N, Win32.Sober.O@mm, Win32/Sober.53554!Worm, Win32/Sober.O, Worm.Sober.2, Worm.Sober.P, WORM_SOBER.S
Date: 2/may/05
Platform: Windows 32-bit
Size: 53.554 bytes (UPX), 53.728 bytes (ZIP)

 

Aggregated Links to the Vendors' WriteUps on this worm:

Symantec: W32.Sober.O@mm
McAfee: W32/Sober.p@MM
Computer Associates: Win32.Sober.N
Sophos: W32/Sober-N
TrendMicro: WORM_SOBER.S
VSAntivirus: W32/Sober.O
Kaspersky: Email-Worm.Win32.Sober.p
BitDefender: Win32.Sober.O@mm
F-Secure: Sober.P
Norman: Sober.O@mm
F-Prot: W32/Sober.O@mm
Panda: Sober.V

 

Eset: http://www.eset.com/msgs/sobero.htm